law – Azerbaijan Internet Watch

Legal overview: legal remedies (or lack thereof) in cases of online targeting

Posted on February 8, 2023 by aiw_admin

In the last decade, the rise of the repressive policy by the government of Azerbaijan against digital rights necessitates the discussion of the legislation and legal remedy aspects of it. As such, in our following legal review, together with a legal expert, we chose to focus on how the state has been resorting to unlawful persecution measures against critics online, in particular, human rights defenders, activists, journalists, and lawyers.

In the analysis presented below, we look at the general trends of online targeting, the existing legal remedies in domestic law, and their effectiveness.

Background information

During 2022, Azerbaijan Internet Watch documented numerous cases of prison sentences handed out on charges of defamation, the arbitrary application of provisions of the Administrative Penalty Code and the Law “On information, informatization and information protection” to limit freedom of expression on the internet, including increased reports of cyber-attacks against activists and media professionals.

In its recent annual report published on 16 December 2022, AIW indicated that overall, 2022 has been no different than recent years in terms of online attacks and internet censorship. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.

Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.

In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.

Domestic remedies against cybercrimes often committed against HRDs, activists, and media

In recent years, scores of human rights defenders, civic activists, journalists, and politicians in Azerbaijan have been complaining about hacking attempts (or hacking) into their personal and professional e-mails, social media accounts, and instant messaging (WhatsApp) accounts. Other complaints include impersonating social media accounts, disseminating false information on their behalf, and publishing their private correspondence, intimate photos, and videos, breaching privacy resulting from intrusion in the intimate life of individuals through illegal tapping. Furthermore, political activists sometimes face pressure from local police to share their phone passwords during arrests.

Once personal information is unlawfully seized at least several constitutional rights and freedoms, such as the right to privacy (Article 32 of the Constitution), the right to honor and dignity (Article 46 of the Constitution), and the right to freedom of thought and speech (Article 47 of the Constitution) are at stake.

Lawyers in Azerbaijan mostly use various available legal mechanisms to protect the rights of targeted individuals. Illegal interception of personal data, violation of the confidentiality of correspondence and other information, and violation of privacy, including certain cybercrimes such as illegal intrusion, illegal acquisition, and unlawful interference with computer systems are criminalized by the criminal law of Azerbaijan. As such, lawyers rely on existing criminal law when submitting complaints to law enforcement authorities, requesting to conduct a criminal investigation regarding the alleged committed act prohibited by the criminal law.

What remedies are available to counter online harassment? To what extent are they effective?

Lawyers with extensive experience defending human rights defenders and activists targeted by cybercrimes say that the Azerbaijani law enforcement authorities and the judiciary are systematically rejecting investigations of cybercrimes committed against government critics.

So in which circumstances and conditions legal safeguards and remedies are functioning and to what extent they are effective? We take a look.

General overview of the relevant legislation

Digital security rights, in a general manner, are safeguarded by the Azerbaijani legal framework. The Azerbaijani legal system enshrines the following legal regime concerning digital security.

General constitutional protection and incorporation of international law

The Constitution provides, inter alia, order public conditions on digital security. According to Article 32 of the Constitution, privacy rights are secured. The privacy rights that the Constitution prescribed are negative and positive in nature – these rights protect against possible governmental interference (negative aspect) and possible trespass by third parties. Constitutional privacy protection not only provides preservation against off-line intrusion but also implies online targeting according to its meaning. Therefore, Article 32 of the Constitution plays a role as a key to digital security rights. In addition, Article 68 of the Constitution determines the prohibition of arbitrary actions of state authorities and recognizes the right to compensation.

The Constitution also incorporates international human rights obligations of the Republic of Azerbaijan. The Azerbaijani Constitution adopts a monist type of international law implementation which means direct integration of international law rules concerning human rights regulation.

The Republic of Azerbaijan has ratified the International Covenant on Civil and Political Rights (1966) (ICCPR) and European Convention on Human Rights (1950) (ECHR). Both ICCPR (Article 19) and ECHR (Article 8), as well as, the jurisprudence of the implementation bodies (in the case of the ICCPR is the Human Rights Committee (HRC) and in the case of the ECHR is the European Court of Human Rights (ECtHR)) safeguard digital security rights as a part of privacy rights. Moreover, the Convention on Cybercrime (a.k.a. the Budapest Convention) (2001) of the Council of Europe – seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations – was ratified by Azerbaijan in 2009.

Both ICCPR and ECHR honor contracting states with two types of obligations – negative and positive. This means, that the state authorities shall not directly involve the right to privacy including digital security rights against the requirements of domestic law, without legitimate aims and against the requirement of democratic necessity, and with violation of proportionality (tripartite requirement of interference of qualified civil rights). In addition, the state authorities have a positive obligation to protect digital security under privacy rights from third parties, also to initiate effective procedural safeguards.

As such, Azerbaijani legislation prescribes constitutional (order public) protection for digital security and harmonizes international law protection with domestic law. However, mere general constitutional protection is not enough for the effective implementation of human rights. The next level is ordinary legislation.

Substantive law

The substantive legal norms concerning digital privacy rights are mainly set out in criminal law and, in nature, prohibitory sanction rules.

Criminal law provisions are arranged in the Criminal Code. Criminal Code prescribes both general privacy rights violations and specific cybercrimes. General privacy rights violations are Articles 155 (violations of correspondence privilege) and 156 of the Criminal Code (violations of privacy rights). Specific cybercrimes are set out in Articles 271-273 of the Criminal Code (Article 271 prohibits illegal intrusion, Article 272 bans illegal acquisition, and Article 273 forbids unlawful interference). In addition, Criminal Code also proscribes violation of operational-search activity by law-enforcement bodies concerning privacy and digital rights. Both state and non-state actors are liable for violations of the above-mentioned criminal law sanctions. According to Criminal Code (Articles 156.2.1, 271.2.3, 272.2.3, 273.3.3 of the Code), the commission by the state officials of the above-mentioned criminal law rules is considered an aggravated circumstance.

In addition to criminal law, civil law/code provisions also offer protection against the violations of privacy and digital rights. codes prescribe protection for digital security. Criminal code safeguards are general protections and not specified for purposes of digital security. Article 1096 of the Civil Code sets general criminal code rules for delictual (civil wrong) liability. On the other hand, Article 1100 of the Civil Code specifies delictual liability for state authorities.

It must be noted that different codes of conduct for state officials and law enforcement bodies also enshrine the protection of privacy rights (which also implies digital security) and require disciplinary sanctions against the perpetrators.

The substantive law also contains relevant remedies for covert surveillance. The state control over compliance of the covert surveillance-related-obligations of the telecommunication operators and providers is regulated largely via the Law “On Telecommunications”, the Law on “On Personal Data”, the Law on “On Operational Search Activities”, the Criminal Procedure Code and Decrees of the President of the Republic of Azerbaijan and Decisions of the Cabinet of Ministers of the Republic of Azerbaijan.

AIW’s legal analysis on the State of Internet Freedom in Azerbaijan, a legal overview (July 29, 2021) reveals the gaps within the legislation, policy, and practice that fail to comply with international legal standards in the field of covert surveillance.

Article 11 of the Decision of the Cabinet of Ministers No. 174 dated November 7, 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”[2] requires the telecommunication service providers to install special-purpose equipment, determined by the State Security Service (SSS) and the Ministry of Internal Affairs. This equipment allows the security services and the ministry of the interior to access data and information across all types of telecommunication networks for the purpose of ensuring national security. And legislation requires the installment of the special equipment as an additional requirement for granting special consent (license) for the cellular (mobile) communication services/companies. In case of a refusal to install this equipment, companies/services are refused operational licenses.

Procedural law and jurisdiction

Pursuant to Articles 215.2, 215.3, and 215.5 of the Code of Criminal Procedure, if it is identified that the privacy (digital) rights violations are conducted by third parties (non-state actors), then the jurisdiction to investigable falls within the Ministry of Internal Affairs or the State Security Service (depending on their competence).

According to Articles 204-207 and 215 of the Code of Criminal Procedure, the local or qualified body of the ministry of the interior or the state security services shall initiate the criminal case based on reports of the victim or others. If the initial inquiry finds more evidence of a breach of rights, then a preliminary investigation has to be conducted. Based on the results of the preliminary investigation, perpetrators might be identified and brought to trial. Violations of privacy rights (including digital security) are considered less serious crimes by Criminal Code and therefore, the trial jurisdiction lies on ordinary district courts.

It is identified that the privacy (digital) rights violations are conducted by state officials (including law enforcement officials), then investigative jurisdiction falls within the Office of the General Prosecutor. The subordinate prosecutor’s offices or qualified bodies of the prosecutor’s office shall initiate the criminal case against officials or based on the fact, shall conduct a preliminary investigation. Based on the conclusions of the preliminary investigation, relevant official (officials) might be held accountable and brought to trial. The trial jurisdiction again belongs to the ordinary district courts.

If the relevant investigatory bodies fail to initiate the criminal case, interested parties have the right to challenge the decision or action on non-initiation of the criminal case under judicial review procedure pursuant to Articles 122 and 449 of the Code of Criminal Procedure.

Criminal Code procedures shall be conducted with ordinary district courts or administrative courts. If the statement of claim is directed against a third party, then it is accepted as a civil case and should be heard by an ordinary civil court. The relevant trial procedures are prescribed by the Code of Civil Procedure. If the statement of claim is directed against state bodies, then it is an administrative law dispute and must be heard by an administrative court following the trial procedures based on the Code of Administrative Procedure.

Disciplinary actions are initiated based on complaints or ex officio, by relevant state bodies and follow procedures that prescribe the codes of conduct or internal disciplinary reviews.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities.

Specifics of the criminal law sanctions and operational-search remedies

According to Article 156 (violation of the inviolability of private life) of the Criminal Code, actions that breach the inviolability of private life are prohibited and subject to criminal liability. According to Article 156.1 of the Code, the dissemination, illegal sale or transfer, and illegal collection of information that constitutes a secret of private and family life, as well as the documents, video and photographic materials, and audio recordings containing such information, are all subject to criminal liability.

It should be noted that private life information may be collected on legal grounds and conditions in the manner prescribed by law. Relevant state bodies can do this on the grounds provided by law. However, there are no such grounds provided by law in the complainant’s case. Therefore, the collection of information about the complainant in this manner should be considered as the acts provided for in Article 156.1 of the Criminal Code, that is, the collection of information or an attempt to collect such information, which is a secret of private and family life.

According to Article 271.1 of the Criminal Code, accessing a computer system or any part of it without the right to access it or any part of it by breaching security measures in order to collect computer information stored there or with other personal intent calls for criminal liability. It should be noted that Articles 271 and 272 of the Criminal Code pertain to cybercrime and are primarily concerned with computer information. However, smartphone devices already have the potential to contain all or part of traditional computer data. In this regard, part of the complainant’s computer data is contained in the relevant parts of his/her smartphone. So when scores of civil society activists in Azerbaijan were targeted with Pegasus spyware, the perpetrators thus illegally infiltrated the complainant’s computer system and illegally acquired computer information. This action demonstrates the commission of a criminal offense under Article 271.1 of the Criminal Code.

In the case the latter offense was committed by an official while abusing his/her official interests, the act is then considered an aggravating circumstance according to Article 271.2.3 of the Criminal Code.

According to Article 272.1 of the Criminal Code, the intentional gathering of computer information not intended for public use, transmitted to the computer system, from the computer system, or within the system, including electromagnetic radiation from the computer systems, which are carriers of such computer information, using technical means by a person not entitled thereto, causes criminal liability. The above-mentioned legal analysis of Article 271.1 of the Criminal Code also applies to Article 272.1 of the Criminal Code.

Article 302 of the Criminal Code (“Violation of the legislation on operational search activities”) criminalizes violation of the law on operational search activities. According to Article 302.1 of the Criminal Code, among other things, the implementation of such activities by authorized persons in the absence of any ground established by law, entails criminal liability, if it causes a significant violation of the rights and legally protected interests of the person. According to Article 302.2 of the Criminal Code, the violation of the law on operational search activity with the intent to secretly obtain information using technical means is considered an aggravating circumstance.

The Operational-Search Activity Act (OSA) and Code of Criminal Procedure allow targeted persons to raise complaints concerning covert surveillance.

Art 4(4) of the OSA stipulates, “[a]ny person, whose rights and liberties have been violated as a result of the actions of the agents of the operative search activity, shall be entitled to complain to the head of the authority – higher in rank to the agents of the operative search activity, prosecutor or the court.”

The first type of claims available under Azerbaijani law is ‘internal claims’ – claims against the head of the alleged authority that conducted the surveillance.
The second type of claim is a claim to a prosecutor.
A third type of claim is a claim to a Court.

Effectiveness of legal remedies in the light of international human rights obligations

Legal remedies concerning covert surveillance

The available remedies shared above, concerning covert surveillance are not effective in practice due to the following reasons:

Firstly, given that there is no method of notification as to whether they were under surveillance or not, no domestic remedies are available to challenge and investigate instances of covert surveillance by authorities, given their inextricable link (Zakharov v Russia at [234]; see also Association for European Integration and Human Rights and Ekimdzhiev v Bulgaria App No. 62540/00, 28.06.07 at [91]; Szabo and Vissy v Hungary App No. 37138/14, 12.01.16 at [86]).

As mentioned above Art 4(4) OSA sets out relevant remedies. However, this provision does not establish a freestanding claim under the OSA – rather it merely reflects that claims are available under other procedures.

‘Internal claims’ remedies (the first type of remedy) are claims against the head of the alleged authority that conducted the surveillance. The ECtHR has found that such complaints are ineffective as they “do not meet the requisite standards of independence needed to constitute sufficient protection against the abuse of authority” (Zakharov at [292]). As such, any available internal remedies are ineffective.

Prosecutorial review is the second type of remedy. This remedy is not effective either, because it is based on prosecutorial discretion. Once the prosecutor refuses jurisdiction over a complaint or initiates a criminal case, this remedy becomes ineffective.

In the Pegasus spyware case prosecutor general’s refusal of jurisdiction over complaints, challenged the potential victims’ procedural rights. The prosecutor general remitted the complaints to the state security services which in the case of Pegasus, were a party of interest, and therefore, constituted a conflict of interest. By passing the investigation to the state security services, the investigation lost the requisite degree of independence given the same body was involved in carrying out the covert surveillance, which is contrary to the case-law standards (c.f. Kennedy v UK at [167-8]) of the European Court of Human Rights.

Judicial claim avenues are a third type of legal remedy. Azerbaijani legislation offers no bespoke judicial remedy for illegal surveillance (c.f. the IPT in Kennedy v UK). Instead, there are only general methods of judicial review either under the criminal procedural code or under civil or administrative law. These are ineffective remedies as well:

Whilst it is theoretically possible to judicially review a judicial order authorizing covert surveillance, it is impossible in practice. The decision to authorize covert surveillance is done via the closed court in the absence of the target (CPC Art 447.3.3), and targets of surveillance do not have the right to receive the judge’s decision implementing the operational-search measure (CPC Art 448.6). Whilst a decision of the judge implementing operative-search measures may be appealed within three days after the announcement of the court decision (Arts 452-54 CPC), given that the target neither has the right to be present at the hearing nor receive the decision, this right has no practical value in cases of covert surveillance;
A claim in the civil courts is impossible. Applicants bear the burden of proof (Code of Civil Procedure Art 77), and given that proper notification of covert surveillance is unavailable, it is impossible to meet this burden to bring a claim against an authority that also contradicts the views of the European Court of Human Rights (Zakharov at [296]);
While a claim under the administrative courts is theoretically possible, it is equally ineffective. Whilst an administrative court is obliged to undertake an objective investigation on their own motion (Art 24 Code of Administrative Procedure (CAP)), in practice this is not observed and a de facto burden of proof is placed on an applicant to provide prima facie evidence of the improper administrative act. Without any evidence of the body conducting alleged covert surveillance, it is impossible to lodge an administrative complaint against authorities. Further, the administrative courts have no jurisdiction over criminal procedures (CAP Art 3.2.1), and if an authority claims that an individual is under criminal investigation the administrative courts will not accept the jurisdiction. Further, the administrative court may refuse to hear cases involving an administrative act in connection with the prevention or elimination of the threat that may cause damage to public or state interests (CAP Art 21.3.2);
Finally, a complaint to the Constitutional Court of Azerbaijan is not an effective remedy either (Ismayilov v. Azerbaijan No 4439/04, 17 January 2008).

Remedies against cyber attacks

The above-mentioned conclusion, mutatis mutandis, is effective for cyberattacks also. For cyberattacks, the main relevant remedy is a criminal complaint to law enforcement bodies. However, due to technical issues, many people do not have the information about whom they were targeted. Under normal circumstances, such kind of technical issues should be tackled by an investigation. However, due to prosecutorial discretion and lack of effective investigation against state officials, the criminal complaint mechanism is not effective in practice. In addition, the Cyber Security Center is not an effective remedy in practice. Because this body also is not independent and has no relevant legal powers to conduct an investigation. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to burden of proof issues (see above).

Specific case studies

There are several case studies that demonstrate that law enforcement authorities are not interested in protecting digital privacy rights despite having an ex officio power to conduct a criminal investigation:

On May 4, 2021, a well-known lawyer Fuad Aghayev said there was an attempt to hack into his Facebook account. Lawyer said that an unknown person wrote to him from Ilham Huseyn’s (active member of Azerbaijani Popular Front Party) account and asked him to download a program similar to “Zoom”, but “safer” for an interview. The lawyer after refusing to download the “unknown app”, called Ilham Huseyn’s phone and realized that Huseyn’s account was hacked and that the message sent to the lawyer was from the perpetrator behind the hacking.
On March 1, 2021, a well-known lawyer Elchin Sadigov, said that smear campaigns against activists were not investigated properly and despite lodged complaints about targeted online attacks, in many cases, the courts do not investigate these complaints.
On May 15, 2020, the opposition Azerbaijani Popular Front Party (APFP) accused the government of cyberattacks against party activists’ social media accounts. In a statement, the Party noted that as a result of hacker attacks, the Facebook accounts of Emil Selim, Ilham Huseyn, Orkhan Selimzade, and Emin Maniyev were hijacked. In addition, fake social media accounts were created impersonating members of the party’s presidium – Fuad Kahramanli, Asif Yusifli, and Mammad Ibrahim, with the intention to harm their reputation and create chaos in society from these accounts.
On March 17, 2021, Bakhtiyar Hajiyev and Narmin Shahmarzade accused the Azerbaijani authorities and law enforcement agencies of the cyber-attacks they were facing. Shahmarzade’s Facebook profile was hacked and her personal images and correspondence were disseminated without her consent. One of the unlawfully disseminated correspondence was Shahmarzade’s conversation with social activist Bakhtiyar Hajiyev.
Another activist, Gulnara Mehdiyeva, was also targeted online. Her social media accounts, email, and communication apps were compromised. So were her backups (archives were backed on Google drive to which she lost access after her personal email was compromised). Although Mehdiyeva regained access to her accounts the damage was extensive. From the account logs, the activist discovered that the perpetrator prepared large bundles of data for download – likely including her email and social media archives, photographs, and other data. The hacker also deleted three Facebook groups dedicated to LGBTQI+ and women’s rights, which Mehdiyeva administered. The attack also exposed the identities of those in the private groups – placing many people, including minors and other vulnerable individuals, at potential risk. Forensics investigation identified two IP addresses from where the attack was carried out. One was previously used in other attacks against independent media in Azerbaijan and was connected to the internet infrastructure of the Ministry of Interior.

In Gulnara Mehdiyeva’s case, the applicant’s lawyer appealed to the Yasamal District Police, where the latter refused to launch a criminal investigation on October 6, 2022. The lawyer appealed the decision of the Yasamal district police to the Yasamal District Court. The applicant’s lawyer referred to the legal grounds that the applicant’s account on social networks was illegally hacked and her personal information was seized, making a claim that this event creates the constituent elements of Articles 155, 156, 272, and 273 of the Criminal Code.

Dismissing the applicant’s appeal, the District Court considered that the criminal act in Article 272 of the Criminal Code is related to the interception of computer data but not the data of the social media accounts noting that computer data and social network data are different from each other.

Furthermore, the Court also considered that the criminal acts in Articles 155 and 156 of the Criminal Code are related to breaching the confidentiality of correspondence, telephone conversations, mail, telegraph, and other information and illegal gathering of confidential information of personal and family life which is not relevant to the applicant’s case.

Interestingly the Court concluded that since the hacking was of the activist’s social media account, the information shared there, was public, and thus could not be considered a secret, and that “social network was not a place where information considered “secret” was protected.”

Lawyers appealed these conclusions of the District Court, which were wrong and were a narrow interpretation of the national and international legislation in this field. The lawyer, in the appeal complaint, explained in detail, how the District Court’s misinterpretation of the national legislation contradicted the relevant international law by referring to the respective provision (Article 271.2) of the Criminal Code and article 1 of the Convention “On Cybercrime”.

The lawyer also claimed that the applicant’s information on the social network such as her personal photos, videos, and personal email correspondence were also intercepted and that all this information constituted private information, therefore, the Court’s conclusion was unfounded. The applicant’s appeals were dismissed by the Appeal and Supreme Courts and the applicant submitted a complaint to the European Court of Human Rights.

On November 3, 2021, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including a discussion with an opposition politician Ali Karimli. The hacker(s) accessed the page through another founder’s Facebook account, deleted videos, and page likes, and changed the name of the page.
The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.[3]

The cases illustrated here, are by no means exhaustive. These and other examples previously documented by Azerbaijan Internet Watch and elsewhere illustrate that the legal remedies for cyber-attacks and covert surveillance are not effective in practice. In all of the cyber-attack and covert surveillance cases that have been brought before the courts in Azerbaijan, the prosecuting authorities failed to initiate a criminal case and the district courts backed prosecuting authorities’ decisions even in cases where evidence exposed state authorities and/or related persons/entities being behind the attacks.

Conclusions

Our goal in putting together this legal overview was to demonstrate that digital security rights are not protected effectively in Azerbaijan. As we illustrate, violations of digital security rights occur on two levels: cyber-attacks and covert surveillance. Both types of violations are sophisticated and require contemporary preventive and procedural safeguards. However, existing legal remedies are not effective.

Most remedies set out in the legislation have shortcomings: there is no automatic notification system concerning covert surveillance; there is no independent internal review body; lack of rules against prosecutorial discretion; no mechanism in place addressing the conflict of interest between law enforcement and state security bodies; and challenges regarding judicial avenues.

Moreover, on cyber-attack issues the relevant qualified body-the Cyber Security Center-lacks proper legal power to conduct an investigation and is not independent. The issue of independence is important when attacks, as findings of independent digital security rights watchdogs demonstrate, are carried out by state authorities or related entities.

Practical case studies show that despite the scale of cyber-attacks, prosecuting authorities did not initiate even a single criminal case concerning attacks. This creates a culture of impunity regarding violations of digital security rights and has a chilling effect on activists’ right to freedom of expression and other political rights. Similar problems also exist in cases concerning covert surveillance – the lack of progress on Pegasus spyware investigations attests to the prosecuting authorities having no interest in initiating criminal cases.

Consequently, digital security rights and their human rights protection both in a preventive and procedural manner and negative and positive obligations dimension have profound problems in Azerbaijan. Available domestic legal remedies are not effective both in legislation and practice to tackle the current problems.

[1] Paragraph 1 of article 39 of the Law on Telecommunications states that “operators, providers are obliged to create conditions for conducting search operations, intelligence, and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues; and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states that “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[2] The Decision of the Cabinet of Ministers No. 174 of 7 November 2002 “On additional conditions required for the issuance of special permits (licenses) depending on the nature of the activity”, https://e-qanun.az/framework/946

[3] Case Description: Khadija Ismayilova (App. 65286/13). The shortcomings identified in the Court’s judgment need to be remedied, in particular:

to investigate the potential link between the applicant’s professional activity and the receipt of a threatening letter;
to properly question an important witness, Mr. N.J., an employee of Baktelekom, who could shed light on the identity of the possible authors of the crime regarding the installment of a hidden camera in the applicant’s flat;
to investigate the identity of the person who sent the threatening letter to the applicant from Moscow;
to investigate the websites where the intimate videos of the applicant were posted;
to investigate the words “SesTV Player” on the video and its potential connection with the Ses newspaper.
- https://hudoc.exec.coe.int/eng?i=004-52409

In Azerbaijan, hasty legislative measures in response to cyber threats, leave protection of personal data on the back burner

Posted on November 28, 2022November 28, 2022 by aiw_admin

In an increasingly digitalized world, collection, retention, and processing of private data have an essential role for both private and public bodies for the purpose of their services to citizens or clients/users. However, in the absence of strong data protection regulations and cybersecurity, privacy infringements are inevitable. The analysis shared below indicates that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

To effectively illustrate how in practice, no control and legal remedies are implemented in relation to the collection and processing of personal data in the context of Azerbaijan, we specifically looked at the telecom industry and a wave of hacks into state-run databases containing vital citizens’ personal data.

Our findings underline the need to strengthen national laws and the practice of protecting individuals’ personal data in light of the growing number of infringement incidents of individuals’ personal data collected by state authorities and corporate entities as a result of existing legal loopholes and a wave of in recent years connected with personal data protection in Azerbaijan.

International standards

The protection of personal data which falls within the scope of the right to privacy is recognized internationally as a human right and countries are required to respect it. This right is enshrined in different international human rights treaties ratified by the Republic of Azerbaijan. These include the Universal Declaration on Human Rights (Article 12), International Covenant on Civil and Political Rights (Article 17), Convention on the Rights of the Child (Article 16), and International Convention on the Protection of All Migrant Workers and Members of Their Families (Article 14).

At the regional level, the right to privacy is protected by the European Convention on Human Rights. Article 8 (Right to respect for private and family life, home and correspondence) of the convention holds that telephone data, emails, and Internet use (Copland v. the United Kingdom, 2007 §§ 41-42), and data stored on computer servers (Wieser and Bicos Beteiligungen GmbH v. Austria, § 45), fall within the scope of protection of Article 8. The European Court of Human Rights also acknowledges that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

The mere storage of personal data can violate a user’s right to privacy. The violation depends on the context in which the data is collected, the way it is collected, processed and used, and the outcome of the user data collection (S. and Marper v. the United Kingdom, 2008).

This right is further promoted and reinforced by the Council of Europe Convention 108 and a number of recommendations in relation to the protection of personal data adopted by the Committee of Ministers of the Council of Europe.

Azerbaijan has ratified various international and regional human rights treaties providing protection to the right to privacy and personal data, and as such, committed to ensuring relevant international human rights standards in relation to personal data protection. In 2009, the country joined Convention 108 also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. However, Azerbaijan is not a party to the Additional Protocol to Convention 108 which requires each party to establish an independent authority to ensure compliance with data protection principles and lays down rules on trans-border data flows.

A legally binding international data protection treaty establishes a number of principles for the signatory states to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, in which collected data is stored for no longer than a set time, and for a specific purpose, and that individuals have a right to have access to, amend or erase their data.

Practice in Azerbaijan

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

The main law covering personal data in Azerbaijan is the Law on Personal Data adopted on May 11, 2010 [No 998-IIIQ available in Azerbaijani here]. Article 6, of the Law on Personal Data sets out the forms of state regulation,[2] which are regulated through different normative legal acts.

In this context, personal data refers to determining – directly or indirectly – the information about the identity of the person [The Law on Personal Data, article 2.1.1]. This information includes name, last name, patronymic, date of birth, and other information contained in the documents of identity, as well as data revealing racial or ethnic origin, marital status, religious faith and beliefs, and health or criminal record of an individual.

The Law on Personal Data does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”). The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life, and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

As per, the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted on September 6, 2010, seven state institutions are granted the authority to supervise the fulfillment of the requirements for the protection of personal data. These are the Ministry of Digital Development and Transportation; the State Security Service; the Foreign Intelligence Service; the Ministry of Internal Affairs, the Ministry of Justice; the Special State Protection Service; the Special Communication and Information Security State Service; and the Financial Markets Control Chamber.

Under the Law on Personal Data, collection, processing, and cross-border transmission of personal data of any physical person are permitted only with the written consent of that person. Similarly, Article 6 of the Convention for the Protection of Individuals with Regard to the Processing of Personal Data states that only where appropriate safeguards are enshrined in law, complementing those of this Convention that special categories for revealing personal data shall be allowed. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights, and fundamental freedoms of the data subject, notably the risk of discrimination.

In the context of Azerbaijan, the country’s Law on Personal Data (Article 13.2.1) provides an exception where personal data can be made accessible to third parties without the consent of the subject. This exception is based on Article 5.4 of the Law on Personal

A recent wave of cyber threats and Azerbaijan’s response

Azerbaijani citizens have long suffered significant harm from hacks into the database of key public institutions or from monopolistic companies transferring personal user data without users’ consent. This has been the case at least since 2011.

2022 was no exception. Multiple data leak incidents involving the personal data of millions of citizens obtained from allegedly government agency databases were reported in the course of this year. Officials say cyber-attacks have increased in the aftermath of the second Karabakh war [September 2020] and peaked once again during the September border clashes this year. Weak protection mechanisms have placed Azerbaijan 40th among 194 countries in the Global Cybersecurity Index in 2021.

The most recent cyber-attack took place on August 8, 2022. Large-scale cyber-attacks against a number of state institutions and banks in Azerbaijan were reported by the State Service for Special Communication and Information Security. No further details of the hack and how much data was stolen remained unclear.

On April 20, 2022, the website of the Compulsory Insurance Bureau of Azerbaijan was compromised. The perpetrator(s) of the hack claimed that the entire system of the Compulsory Insurance Bureau was destroyed, and more than 40 million pieces of information were seized. The online platform of the State Motor Transport Service (e-fn.danx.gov.az) was also among hacked institutions.

According to the June 2020 “Cybersecurity guidelines for the Eastern Partnership countries,” released by the European Union’s EU4Digital Initiative, the main obstacles and gaps in the area of cybersecurity in Azerbaijan were the country’s outdated national legislation and insufficient commitment of national authorities to cybersecurity matters.[3]

The country’s own Cybersecurity Governance Assessment Report published in November 2020, indicated that there was a lack of cybersecurity benchmarks for digital web providers, due to the absence of a competent authority in the field of cyber/information security to supervise public and private digital service providers with regard to the implementation of cyber/information security requirements.

In light of recent cyber threats, the government of Azerbaijan has come up with several legislative and policy measures – a document on the security of critical information infrastructure and information and cyber security strategy. On September 21, 2022, the head of the department of the State Service for Special Communication and Information Security of Azerbaijan, Tural Mammadov, stressed that the cyber strategy submitted to the Cabinet of Ministers will be approved soon. The “National Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2020 – 2025” has been in the works since March 2020.

New legislative amendments

On April 17, 2021, President Ilham Aliyev, signed an order “On some measures in the field of ensuring the security of critical information infrastructure.” The order authorized the State Security Services of Azerbaijan to ensure the security of critical information infrastructure including the fight against cyber threats.[4]

In May 2022, the parliament approved amendments to the Law of the Republic of Azerbaijan “On information, informatization, and protection of information.” The amendments included 9 new concepts and a new chapter, named “Security of critical information infrastructure,” which consisted of 6 articles. Amendments that entered into legal force on July 6, 2022, brought new concepts such as critical information infrastructure, cyber security service provider, information security, cyber threat, cyber-attack, and cyber incident to the national legislation. In connection with the adoption of amendments to the Law “On information, informatization, and protection of information” two new articles were added to the Code of Administrative Offenses providing administrative liability for the violation of the order ensuring the security of critical information infrastructure.

Article 371-1 envisages liability for violation of the rule of ensuring the security of critical information infrastructure. Article 602-3 envisages liability for failure to fulfill the requirements of the authorized body (official) in the field of ensuring the security of critical information infrastructure.

On July 16, 2022, the decree of the Cabinet of Ministers was tasked to prepare draft rules for ensuring security and proposals on the criteria of critical information infrastructure and facilities within 2 months.

Personal data vs. surveillance and commercial use of personal data

How do national laws protect personal data in the telecom industry?

Collection, processing, and protection of personal data, including individual information created by means of technology [sms, phone calls and etc.] are mainly regulated by several laws [on Telecommunications, On information, informatization, and protection of information, and on Personal Data] and normative legal acts of the Cabinet of Ministers and other central executive powers.

In Azerbaijan, customers entering into a contract with mobile operators [to complete SIM card registration] are obligated to provide an extensive amount of personal data. This is regulated by Article 40 of the law On Telecommunications and the decision of the Cabinet of Ministers dated July 7, 2005, “On the approval of the conditions required for the sale and use of communication facilities by communication enterprises (operators), as well as their dealers.”[5] The collected user data is then stored in the single database of operators and on AzInTelecom (State company of the Ministry of Digital Development and Transportation) in an electronic format.[6] According to a decision of the Cabinet of Ministers, the Information Computing Center of the Ministry of Digital Development and Transport where the personal data are gathered and processed is established together with the Ministry of Internal Affairs and State Security Service.[7]

Pursuant to purposes, and operation-search activities and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.[8]

The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators.[9] That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.[10]

The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances including in an event the state security and/or its

Pursuant to article 445 of the Criminal Procedure Code, search operations such as interception of telephone conversations; monitoring of mail, telegraph, and other correspondence; and extraction of information from technical communication channels and other technical devices are carried out only on the basis of a court decision.[11] However, according to Article 10, paragraph 4 of the Law on “Operation and Search Activities”, and Article 177.4 of the Criminal Procedure Code, these search operations may also be carried out without a court decision, based on a reasoned decision of an authorized officer of the body carrying out the search operation.[12] This decision must be presented to the court conducting judicial oversight and to the prosecutor conducting the procedural management of the preliminary investigation within 48 hours after the relevant measures are taken. In practice, most of the investigations carried out based on a reasoned decision of an authorized person have [13]

The selling/giving of personal data to third parties for commercial purposes

Azerbaijani media and social networks regularly discuss the reports and complaints connected with the processing (transfer/sale) of SIM card users’ personal data without their consent for commercial purposes.

In accordance with article 23.1 of the Law of the Azerbaijan Republic “On Advertising” dated May 15, 2015, No. 1281-IVQ, the telecom operator and provider may broadcast advertisements based on the contract concluded with the advertiser. The telecom operator and provider can send the advertisement to the subscriber individually only if the sending of the advertisement is agreed upon in the written contract concluded between the company and the subscriber. The existing law obligates the telecom operator and the provider to give the subscriber the option to opt-out from receiving advertisements at any time or to broadcast only the advertisements the subscribers wish to receive ads from telecom operators.[14] Similar provisions are envisaged in Article 50-1 of the Law “On Telecommunications.”[15]

According to Article 9.10 of the Law on Personal Data, personal data collected and processed in corporate information systems may be presented to third parties for a fee. This procedure is regulated by the Decision of the Cabinet of Ministers, “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” which was adopted on March 2, 2011.[16] According to this regulation, the sale/transfer of data to a third party only applies to the open category of personal data.[17] The open category of personal data refers to the (i) information which has been anonymized in a specified manner, (ii) made public by the subject, or (iii) entered into the information system created for general use, with the subject’s consent. The Regulation (article 2.1) further requires a contractual agreement between the owners of personal data and the third party intending to obtain the personal data and additional permission of the state body that maintains the state register of information systems (Ministry of Digital Development and Transport).[18] The Regulation (article 2.3) also determines mandatory contractual clauses for the agreement on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis. It establishes specific duties[19] for the third parties who intend to obtain personal data.

However, agreements between operators and providers, and third parties on the sale of personal data are not provided to owners of personal data (individuals whose personal data was transferred) or published. Therefore, individuals are deprived to know the scope of the data sold and further specifics of the use of their personal data.

However, the Law on Personal Data (article 7.1.2.) provides that owners of data have the right to request the legal justification for the collection, processing, and transfer of personal data about themself and to receive information about the legal consequences (for themselves) of the collection, processing, and transfer of this data to third parties.

How is the consent given?

There are over ten million mobile phone subscribers in Azerbaijan.[20] Azercell LLC, Bakcell LLC, and Azerfon LLC (A brand of Nar) are the three major mobile phone operators. Subscription contracts of all three major mobile operators reveal that all contracts include many similar conditions because of the Law on Telecommunication which sets the mandatory clauses for such contracts between operators and subscribers.[21] As such, there is little difference in the way the operators use personal data. The subscription agreements individuals enter with mobile operators (at least in the subscription agreements distributed on the websites of Bakcell LLC and Azercell LLC) include provisions indicating “giving consent to receive advertising SMS”. Individuals often overlook these conditions or pay no attention.

A review of the consent clauses in the subscription agreements demonstrates that such provisions are not clearly reflected and do not explicitly state concrete implications for subscribers when choosing “to receive advertisement SMS” and what this means from the protection of personal data perspective.

However, the Law on Personal Data (article 8.2) sets out that the individuals’ written consent for the processing of personal data must include the purpose for collecting and processing personal data, the lists of personal data consented to be processed by the subject, and their processing operations, the validity period of the subject’s consent and the conditions for its withdrawal, conditions for destruction or archiving of personal data collected about the subject in accordance with the legislation after the expiration of the specified period of storage of personal data in the relevant information system or after the subject’s death.

As the contracts between the advertising companies and mobile operators are not public, it is not clear how the mobile operators allow third parties “to send advertising SMS” to subscribers. Being aware that the operators use the personal information of subscribers to sell targeted ads, subscribers do not know whether such contracts also ensure the transfer of the phone numbers to third parties. Or what concrete personal data is used by mobile operators to identify eligible subscribers to send advertising SMS?

None of the three main telecom operators have published Privacy Policies in relation to the protection of personal data in regard to using Sim Cards. Azercell LLC[22] and Azerfon LLC[23] do have privacy policies in relation to their policies on data protection.

In the example of the subscription agreement of Bakcell LLC[24], the contract includes one article that refers to advertisement: “4.3. On the basis of this Agreement, the Subscriber agrees to the automatic sending of information, entertainment, and advertising SMS to their number, and if the Subscriber refuses to receive any type of SMS, the sending of such SMS to the corresponding number is stopped.”

In the sample contract of Azercell LLC [25], the provision of “whether the subscriber consents to receive advertising SMS” requires an affirmative answer. This is good, especially in comparison to the sample contract of Azerfon LLC (Nar)[26], where there is no clause regarding obtaining consent for such advertisement services. Instead, provision 6.4. of the contract states, “By signing this contract, the subscriber agrees to receive advertising or entertainment SMS or any other information to the number(s) he/she is using”. In addition to that, the Azerfon LLC (“Nar”) Privacy Policy states that “the subscriber accepts that Azerfon is not responsible for the disclosure of his/her information to third parties through the “Nar+” service application”.

In practice, individuals buying the sim cards are offered standard contracts and are not offered an opportunity to effectively refuse to give consent to receiving such services. It seems that the subscriber is offered the opportunity to unsubscribe from ads only after activating the sim card. It is then the subscriber’s responsibility to contact the operator and ask for a specific code that would stop this service.

None of the three mobile operators’ contracts contain a provision on the operators’ responsibility in relation to the protection of subscribers’ personal data even though operators receive an extensive amount of personal information during the sale of sim cards. The operators also oblige subscribers to update the operators in case of any changes to their personal data.[27] Such clauses in the contracts in the case of all three mobile operators are clearly undisputable as mobile operators design their contracts unilaterally, and the subscriber has no effective option to remove those conditions from the contract except in the subscription contract of Azercell LLC.

Different Council of Europe instruments refers to consent about the processing of users’ personal data. Bearing in mind that provisions of the Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data apply to the automated data processing activities of network operators and parties providing telecommunication services, the telecom companies must respect the requirements of the Convention, which Azerbaijan is a party to. Thus, Article 5 (2)– “Legitimacy of data processing and quality of data” of the Convention stipulates that “each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.”

Recommendation (95)4 of the Committee of Ministers of the Council of Europe to Members States[28] recommends that the collection and processing of personal data in the area of telecommunications services should take place and develop within the framework of data protection policy, taking into account the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and in particular the principle of purpose specification (3.1). The mentioned Recommendation also envisages that “Domestic law should provide the appropriate guarantees and determine the conditions under which subscriber data may be used by network operators, service providers, and third parties for the purposes of direct marketing by telephone or by other telecommunications means (7.8).

The “Principles underpinning privacy and the protection of personal data” (2022) adopted by the UN Special Rapporteur on the Right to Privacy analyses international law in relation to consent and stresses the consent of the subject (owner of the personal data) as one of the legitimate grounds for the processing of personal data.[29] The UN Special Rapporteur concludes that the principle of consent is closely linked to the principle of legality, as it is the most common internationally recognized permissible ground for the processing of personal data (paragraph 31).

KEY FINDINGS

Do mobile operators give subscribers’ phone numbers and other personal information to other companies?

In the absence of publicly available information about contracts between mobile operators and third parties concerning the sale or transfer of private data; the lack of privacy policies of telecom companies, including the lack of any comprehensive data on protective legislation and oversight, it is difficult to say that SIM users’ personal data is not shared with other private and public databases, is not used for enabling the companies and states to create specific profiles of individual citizens, and is enabling other third parties to access a vast amount of data for commercial purposes.

In March 2017, Azerbaijan’s Supreme Court judgment “Viza” Law Firm v. “Azercell Telecom” LLC and “Sindbad” LLC established that one of the main mobile telecom companies – Azercell LLC transferred one of its subscribers (client) to another company which used the provided number, to send advertisement SMS despite there being no legal ground (contract) between the company sending advertisement and the user receiving the notifications via SMS. The Supreme Court judgment allows concluding, that mobile operators may share users’ personal data with third parties for direct marketing without explicitly mentioning this in the subscription contracts.

In July 2019, Azerbaijan’s Commissioner for Human Rights expressed concern over serious problems in data protection in the telecom industry where mobile operators were distributing users’ personal data without their knowledge and consent.[30]

Do the law-enforcement authorities have access to personal data gathered in the telecommunication systems beyond the rule-based surveillance regime

The existing system around SIM card registration allows law-enforcement agency access and permission to govern an extensive database of vast private data of SIM card users. This puts individuals at risk of being tracked or targeted and having their private information misused. Such access undermines the ability of users to communicate anonymously and one’s right to privacy.[31]

This also poses a threat to vulnerable groups and facilitates an environment of state surveillance making tracking and monitoring of users, easier for law enforcement authorities.

One prominent example illustrating this trend was documented in January 2019 when after an opposition protest rally, scores of rally participants received calls on their mobile phones from the local executive authorities and the police. All were interrogated about their participation in the rally. As such, mobile operators have long been accused by activists of providing their mobile numbers to the authorities.[32] Responding to these claims, the mobile operators said the data shared with law enforcement was provided based on legislation and official request.[33] Meanwhile, the Ministry of Interior confirmed that the rally participants were indeed called in for questioning on the grounds that this was a “police activity, and the police were carrying out both public and operation-search and other investigative activities.”[34]

Some experts suggest that having mandatory SIM card registrations further fuels their illicit use. It creates a need for a black market, as people want to communicate anonymously and it encourages identity fraud as people try to evade the system altogether.[35]

Conclusion

National legislation of Azerbaijan regulating the telecommunication sector must be reviewed in line with the established principles and standards of the European Convention on Human Rights, including the Convention for the Protection of Individuals with Regard to the Processing of Personal Data.

The national laws must be designed in a way where personal data is processed lawfully (with free, informed, unambiguous consent of the data subject or on the basis of law) for clearly defined legitimate purposes. In a context where national security and public safety interests are so often used to justify unprecedented intrusions on human rights and freedoms, it is crucial to ensure that new legislative and policy response to cyber threats does not harm individuals’ personal data.

In particular, all national legal frameworks in the areas of surveillance, interception, protection of personal data, and other relevant areas, must be accessible to an individual in question, who must be able to foresee the consequences of its application to him/her.

Government must adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and wide discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and effective review of interception orders; (iii) the precautions to be taken when communicating the data to other parties. Nationally, an independent regulatory authority should be established to ensure supervision and review complaints related to personal data breaches.

The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

National laws also must be amended in order to ensure that telecommunication services offer guarantees for users’ privacy, the secrecy of their correspondence, and the freedom of communication. Furthermore, existing rules equipping and enabling the use of special tools within the telecommunication networks must be re-designed in order to provide privacy for users and mitigate risks of abuse of personal data by the authorities.

National legal frameworks should encourage the private sector (in particular in the areas of mass personal data collection and processing) to develop data protection policies.

on increasing cyber security within the critical information infrastructure should recognize that the private sector is responsible for cyber security however it should not enhance government control over the personal data collected and processed by the private sector. The government’s appetite to control telecom infrastructure and information in cyberspace is unlikely to bring positive changes with respect to personal data protection in Azerbaijan.

In this context, the cyber security measures must put personal data at the heart of the planned legislative and policy measures, in particular removing the risk of abuse of personal data by telecommunications service providers and state authorities.

Footnotes

[1] Rec(2002)9 18/09/2002 on the protection of personal data collected and processed for insurance purposes; Rec(95)4 07/02/1995 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services;

Rec(91)10 09/09/1991 on the communication to third parties of personal data held by public bodies; Rec(85)20 25/10/1985 on the protection of personal data used for the purposes of direct marketing.

[2] i) establishing the legal basis for the collection and processing of personal data; (ii) ensuring basic human and civil rights and freedoms during the collection and processing; (iii) licensing of activities on collection and processing of personal data; (iv) conducting state registration of information systems of personal data; (v) certification of information systems of personal data and other ICT tools; and etc.

[3] According to the report findings, national law on the protection of personal data is outdated, and national legislation does not require data breach notifications. The report also identifies the main challenges as insufficient funding, lack of qualified personnel and resources in the cybersecurity area, and insufficient commitment of national authorities to cybersecurity matters. The report also indicated that security audits are carried out for verifying whether baseline cybersecurity measures are implemented only banking sector. It further notes that there is no formal definition of Critical Information Infrastructure (CII) and CII operators are not identified at the national level.

[4] The State Security Service of Azerbaijan performs those functions jointly with the State Service of Special Communication and Information Security of Azerbaijan toward the state bodies, and public legal entities created on behalf of the state, in relation to legal entities belonging to the state.

[5] The Cabinet of Ministers dated July 7, 2005, requires the collection of personal data from subscribers such as subscriber’s Sim card number, parameters of the subscriber identification module (IMSI, etc.), mobile device’s international identification number (IMEI), ID card or Passport (with photo), concrete and detailed address and place of residence of the subscriber, bank account and registration details for legal entity subscribers and etc. https://e-qanun.az/framework/10541;

[6] The implementation of the changes to the mobile number sale rules is being finalized, E-Gov.az portal, https://www.e-gov.az/az/news/read/349

[7] It is noted in the decision (preamble) of the Cabinet of Ministers that the rule (auth: a mandatory collection of personal data and establishing a unified database of sim card holders) was adopted in order to implement the provisions specified in Articles 39.1 of the Law “On Telecommunications”, Articles 9 and 12 of the Law “On Operation-Research Activities” and 17.4 of the Law “On Intelligence and Counter-Intelligence Activities” that obliging telecommunication companies to create conditions to for search and operational activities of law enforcement authorities. Thus, provisions in various legal acts referred to, as well as these regulations, allow law enforcement agencies (Ministry of Internal Affairs and State Security Service) to jointly form a database where personal data collected by communication enterprises is collected (paragraphs 3 and 4 of the Regulations).

[8] Pursuant to article 10.5 of the Law on Personal Data, article 39.1 of the Law on Telecommunications, and according to article 17.4 of the Law on Intelligence and Counterintelligence Activities, telecom operators must create conditions for conducting intelligence and counterintelligence, and operation-search activities in accordance with law and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.

[9] In accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” legal entities and individuals providing communication services are required to install special equipment that provides access to information for the search and operation purposes. https://e-qanun.az/framework/3569#_ednref12

[10] On the approval of the “Rules on ensuring information security during the implementation of operational search measures in communication networks” approved by the Presidential order on 2 October 2015, https://e-qanun.az/framework/30840

[11] Wiretapping of telephone conversations ad extraction of information from technical communication channels and other technical means are carried out by the Ministry of Internal Affairs and the State Security Service in accordance to Presidential Decree No. 507 dated June 19, 2001 “On the distribution of authorities of entities of operative-searching activity in the implementation of investigation and search operations” available (in Azerbaijani) http://e-qanun.az/framework/3569

[12] In this case, the authorized official of the body conducting the search operation shall, within 48 hours of carrying out the search, submit the reasoned decision on the conduct of the search operation to the court exercising judicial supervision and the prosecutor.

[13] Dissent opinion of judge Isa Najafov, in the decision of the Plenum of the Constitutional Court “On the interpretation of some provisions of Articles 137 and 445.2 of the Code of Criminal Procedure of the Republic of Azerbaijan” February 12, 2015. Available (in Azerbaijani) at: https://constcourt.gov.az/az/decision/1159

[14] The telecommunication operator and provider shall be responsible for sending advertising without the consent of the subscriber or contrary to the provisions of this Law. Law on Advertising (Article 23), https://e-qanun.az/framework/30348

[15] The Law On Telecommunications, https://e-qanun.az/framework/10663

[16] “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” adopted on March 2, 2011, https://e-qanun.az/framework/21385

[17] The person’s name, surname, and patronymic are permanent open personal information. (The Law on Personal Data, Article 5.3).

[18] State registration of Information Systems and cancellation of state registration is carried out by the Ministry of Digital Development and Transport of the Republic of Azerbaijan as determined by the Decision (article 1.3) of the Cabinet of Ministers On approval of “Rules for state registration of information systems of personal data and cancellation of state registration” dated on August 17, 2010. https://e-qanun.az/framework/20039

[19] The contract should specify the content of the provided data, purposes of acquisition, fields of use, and methods, and the following obligations of the third party acquiring personal data should be provided: ensuring the protection of obtained personal data and the rights of personal data subjects in accordance with the Law of the Republic of Azerbaijan “On Personal Data”; not to give or transfer the obtained personal data to other persons in any way; exclusion of all threats and dangers for personal data subjects when using personal data, and not making offers that may cause them unwanted or additional costs, as well as anonymous or misleading personal data subjects. The material, technical and organizational capabilities of third parties who obtain personal data collected and processed in corporate information systems or their personal data operators must be in accordance with the purpose of data acquisition and the requirements for their protection.

[20] 2022 CEIC Data, an ISI Emerging Markets Group Company, https://www.ceicdata.com/en/indicator/azerbaijan/number-of-subscriber-mobile

[21] Article 40 of the Law on Telecommunications requires that the following provisions are reflected in the contract and other documents should be a part of it: i) the period (time) and conditions of connection and use of end equipment to the telecommunications network; ii) conditions of termination and cancellation of the contract; iii) duties, rights and responsibilities of the parties; iv) the subscriber’s consent (objection) to the implementation of the duty specified in Article 33.1.3-1 of this Law; v) his/her consent (objection) to the display of information about the subscriber in survey-information sources; vi) other conditions not contrary to law. A copy of the photo ID of the subscriber must be attached to that contract.

[22] Azerfon LLC (“Nar”) respects your privacy. This Privacy Policy explains the collection, use, and sharing of information from or about you in connection with your use of the services. The term ” Services” refers to our video service, including the selection of television shows, clips, movies, and other content we offer (collectively, the “Content”) and our player for viewing the Content (the “Video Player”), as well as any other products, features, tools, materials, or other services offered from time to time by Nar through a variety of Access Points. The term “Access Points” refers to, collectively, the nar.az website (the “Nar Site”), applications, and other places through which the Services may be accessed, including websites and applications of Nar’s third-party distribution partners and other websites where users or website operators are permitted to embed or have otherwise entitled to publish the Video Player. https://www.nar.az/promo/nar-tv-privacy/index-en.html

[23] Privacy Policy about the application “Azercell Kabinetim”, “Azercell Kabinetim” is created by “Azercell Telecom” LLC as a FREE application. This SERVICE is rendered by “Azercell Telecom” LLC free of charge and is intended to be used the way it exists. This web page is used for providing information about our policy on collection, usage and disclosure of personal data of customers determined to use our Service. If you choose to use this Service, you consent to the collection and usage of information in accordance with the present policy. The collected Personal Data is used for rendering and improving this Service. We undertake not to use or share your data with anyone except for those cases described in this Privacy Policy. The provisions used in this Privacy Policy have the same meaning as the Terms and Conditions set forth in my Cabinet unless otherwise stated in the Privacy Policy. https://www.azercell.com/my/assets/policy/privacy_policy_en.html

[24] Subscription Agreement of the Bakcell LLC, https://www.bakcell.com/az/abune-muqavilesi

[25]Subscription Agreement of the Azercell, https://www.azercell.com/assets/files/abunechi-muqavilesi/azercell_abune-muqavilesi.pdf

[26] Subscription Agreement of the Azerfon, https://www.nar.az/uploads/documents/Nar_abunechi_muqavilesi_new.pdf

[27] In accordance with article 4.2.7 of the Contract provided by Bakcell LLC, the Subscriber is responsible for the correctness of the information related to the Subscriber, reflected in this Agreement and submitted by the Subscriber to “Bakcell”, and immediately informs “Bakcell” about changes in the registration address, questionnaire data, contact number and other information related to this Agreement. 2 (no later than two) calendar days) must provide written information. The subscriber does not object to the display of this information in the survey information sources.

[28] “On The Protection of Personal Data in the Area of Telecommunication Services, With Particular Reference to Telephone services”

[29] The “Principles underpinning privacy and the protection of personal data” report adopted by the UN Special Rapporteur on the right to privacy, 2022, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/594/48/PDF/N2259448.pdf?OpenElement

[30] On 6 July 2019, during the meeting of the Working Group on “Business and human rights” held at the Ombudsman office (the meeting was dedicated to the topic “Ensuring the right to access information in the context of business and human rights”) the Commissioner noted that despite the existence of serious reforms in the relevant field, mobile operators distribute personal data without the knowledge and consent of the data owners, as a result of which they are inconvenienced and materially damaged and the investigation of complaints of citizens are carried out by companies without the participation of the complainant which also results with the lack of consideration of the complainant’s position in many cases; The Commissioner noted that such issues must be resolved. https://ombudsman.az/az/view/news/1354/ombudsman-yaninda-biznes-ve-insan-huquqlari-uzre-ishchi-qrupun-novbeti-toplantisi-kechirilib

[31] A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device.

[32] “Mobile operators have prepared a list of rally participants”, 28 January 2019, https://yenisabah.az/mobil-operatorlar-mitinq-istirakcilarinin-siyahisini-hazirlayib

[33] “Mobile operators responded to the accusations of the opposition”, 30 January 2019, https://www.azadliq.org/a/mitinq-bakcell-azercell-azerfon/29741836.html

[34] How is personal information protected in Azerbaijan? BBC News in Azerbaijani. February 7, 2019. https://www.bbc.com/azeri/azerbaijan-46875038

[35]Access to Mobile Services and Proof of Identity 2021. The GSMA Association. April 2021, https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/04/Digital-Identity-Access-to-Mobile-Services-and-Proof-of-Identity-2021_SPREADs.pdf

Who regulates content online in Azerbaijan? Legal analysis

Posted on May 17, 2022 by aiw_admin

In this new legal analysis, we specifically look into content regulation on the internet carried out by the Prosecutor’s office and how the measures in place, silence free speech often relying on the use of a restrictive law on Information, Informatization, and Protection of Information.

As the use of the Internet grew in Azerbaijan, so did the measures adopted by the government to regulate the internet space, through legal changes that would tighten existing regulations. As such the ranking of Azerbaijan in Freedom House Freedom on the Net report as “not free” is indicative of the deteriorating internet freedom in several directions, including control of the ICT market, infrastructural challenges, restrictive legal measures, accounts of harassment of citizens for online criticism, and more. Numerous evidence-based reports point out the extent of coordinated, and deliberate efforts deployed by the government in Azerbaijan to restrict free speech on the users of social networks, journalists, and media at large in recent years.

Currently, two laws regulate what constitutes prohibited information on the internet and the liability for violating these requirements. These are the Law on Information, Informatization, and Protection of Information, which defines the requirements and responsibilities for individuals; and the Law on Media, which defines the (almost) similar and additional requirements and responsibilities for journalists and media.

In addition, the presidential decree dated February 22, 2022, instructed the Ministry of Justice to prepare and submit a draft law on measures for violating information and media legislation on the internet to the government within a month. The law is yet to be adopted and concerns over its text and procedural implementation give ground to worry for a new restrictive law to be adopted not to mention its implications to further stifle free speech online.

Until then, an uptick in recent months, of cases in which social media users have faced punitive measures for their online activism indicates that the Prosecutor General Office has taken on a temporary role of taking measures against activists, journalists and media within the scope of laws on information and media. As such we decided to dedicate our next legal analysis report to the practices and activities of the general prosecutor’s office within the framework of national and international legislation.

***

In Azerbaijan, the Code of Administrative Offences and the Criminal Code regulate the legal sanctions against violations of the Law on Information, Informatization, and Protection of Information. However, as noted above, an uptick in administrative penalties and warnings issued to media, journalists, and social network users in recent months shows that the main government institution carrying out monitoring, and handing out penalties and warnings has been the Prosecutor General’s Office.

This frequent and at times, aggressive interference by the prosecutor’s office, which normally is in charge of investigating criminal cases and is the prosecuting authority, itself raises a number of concerns with regard to freedom of expression and the media.

The prosecutor’s office argues that the official warnings issued by the institution are a precautionary measure for violating existing. It is worth noting, that laws here are also broadly defined. Local human rights lawyers and experts, suspect, that the prosecutor’s office relies on existing bills on Information, Informatization, and Protection of Information as well as the Media, however, it could also refer to additional articles of the Criminal Code. Therefore, the legality of these acts is questionable.

***

Recent amendments to the Information Law

On December 27, 2021, the Azerbaijani parliament (Milli Məclis) adopted new amendments to the Law of the Republic of Azerbaijan On Information, Informatization, and Protection of Information (30-VIQD).

One of the amendments includes expanding the measures against the prohibited content*

*Neither the previous nor the iterated version of the law clearly defines what is prohibited content leaving extensive room for the relevant state actors to decide, and based on these overt decisions, restrict freedom of expression online.

Previously, the owner of the internet information resource and domain name, and the hosting provider were responsible for removing (deleting) the information (specific content such as articles) from the information resource (website). The iteration obligates the owner, and the hosting provider, to block access to that content (article) on its website (Article 13-2.4, and 13-2.5).

As the law on information determines a list of grounds that define which content is prohibited, it also sets obligations for domain and information resource owners and host providers to remove or block the content upon receiving the warning from the executive authorities. In cases when content removal or blocking is not implemented, relevant executive authority applies to the court. As such, it is the judicial powers making a final judgment on the (il)legality of reported content rather than the executive power. This also means that the warnings issued by the executive authorities to the information resource and domain owners and host providers must not introduce liability. Because, when a court draws its final decision, it applies the principle of proportionality ensuring that different interests are balanced against each other.

Prohibited content as defined in the Law on Information (Article 13.2) and the Law on Media (Article 14).

Law on Media:

14.1.1. open calls must not be made for a forcible change of the constitutional order of the Republic of Azerbaijan, the disintegration of its territorial integrity, forcible seizure or retention of power, mass riots;

14.1.2. there must be no disrespect for the state symbols of the Republic of Azerbaijan;

14.1.3. norms of the state language must be observed;

14.1.4. discrimination on grounds of race, religion, origin, gender, ethnicity, and other discrimination must not be promoted, and also no open calls must be made for inciting ethnic, racial, or religious hatred;

14.1.5. terrorism, religious extremism, violence, and cruelty must not be propagated, and also, information aimed at financing terrorism, organizing or conducting training for terrorist purposes must not be disseminated, and open calls for terrorism must not be made;

14.1.6. words and expressions, gestures with immoral lexical (swearing) content must not be used;

14.1.7. the humiliation of honor and dignity, tarnishing of business reputation is not allowed;

14.1.8. secret information about a person’s family and private life must not be disseminated;

14.1.9. there must be no libel, insults, or hate speech;

14.1.10. actions that are contrary to the protection of health and the environment must not be propagated;

14.1.11. facts and developments must be commented on impartially and objectively, one-sidedness is not allowed;

14.1.12. parapsychology (psychics, mediums, etc.), superstition, or other kinds of fanaticism must not be propagated;

14.1.13. pornographic materials must not be published (broadcast);

14.1.14. information about a person being guilty must not be published (broadcast) without a valid court decision;

14.1.15. the requirements provided for in the Law of the Republic of Azerbaijan “On protection of children from harmful information” must be complied with;

14.1.16. other information provided in Article 13-2.3 of the Law of the Republic of Azerbaijan “On information, informatization, and protection of information” must not be broadcast.

Law on information, informatization, and protection of information:

*false information threatening to harm human life and health, causing significant property damage, mass violation of public safety, disruption of life support facilities, financial, transport, communications, industrial, energy, and social infrastructure facilities, or leading to other socially dangerous consequences.

propaganda and financing of terrorism, as well as methods and means of terrorism, information about training for the purpose of terrorism, as well as open calls for terrorism;
information on the propaganda of violence and religious extremism, open calls directed to the evocation of national, racial, or religious enmity, violent change of the constitutional order, territorial disintegration, violent seizure or maintenance of power, and organization of mass riots;
state secrets;
instructions or methods for producing firearms, their component parts, ammunition, and explosive substances;
information on preparation and usage of narcotic drugs, psychotropic substances, and their precursors, about locations of their unlawful acquisition, as well as information on the location of and methods of cultivation of plants containing narcotic substances;
pornography, including information related to child pornography;
information on the organization of and incitement to gambling and other unlawful betting games;
information disseminated with the purpose to promote suicide as a method of solving problems justifies suicide, provides the basis for or incites suicide, describes the methods of committing suicide, and organizes the commission of suicide by several individuals or organized groups;
defamatory and insulting information, as well as information breaching the inviolability of private life;
information breaching intellectual property rights;
other information prohibited by the laws of the Republic of Azerbaijan.

The legal framework of the power of the prosecutor’s office to issue the official warnings

According to Article 133 of the Constitution, the Prosecutor’s Office of Azerbaijan (hereinafter – the “Prosecutor’s Office”) shall exercise control over the execution and application of laws, institute criminal cases, and conduct investigations. According to Article 2 of the Law About the Prosecutor’s Office, the Prosecutor’s Office of Azerbaijan is a single centralized body that, is logged in judicial authority.

According to Article 21 of the Law About the Prosecutor’s Office, issuing an official warning is one of the prosecutor’s mandates vested in its powers in the manner and within the framework established by law About the Prosecutor’s Office. Article 22 of the Law identifies under which circumstances, the prosecutor or his deputy shall issue an official warning to the citizen or official.

Because these warnings, as procedural acts, are not established in the administrative code of offenses or in the criminal procedural codes of the Azerbaijan Republic, they serve as a deterrent for individuals from certain actions, such as stopping, not repeating, or not taking any other action in the future.

Powers of the Prosecutor’s Office in the cases of administrative offenses

Article 54 of the Code of Administrative Offenses determines the scope of the prosecutor’s supervision power in the cases of administrative offenses. Within its power, the prosecutor shall take timely measures to eliminate the violation of the law during the proceedings on administrative offenses and exercise the prosecutor’s control over the application and implementation of the Constitution and laws of Azerbaijan.

The first sentence of Article 54.2 of the Code outlines a list of administrative offenses where the prosecutor’s office is empowered to initiate the administrative offense cases. The second sentence of the same Article also gives unlimited power to the Prosecutor’s office to initiate administrative offense cases for any other cases envisaged in the Code of Administrative Penalties.

Once the decision to initiate proceedings on administrative offenses is made, the Prosecutor’s Office then shall send the case to a judge or an authorized body for judiciary proceedings on the merits of the case. Overall, the scope of the prosecutor’s supervision concerning administrative offenses includes the right of the prosecutor to decide on the initiation of proceedings on administrative offenses, to participate in consideration of cases on administrative offenses, to give an opinion or petition on issues arising during the proceedings, to protest against a decision or to rule on an administrative offense.

Thus, the prosecutor’s office has the authority to take measures of responsibility and deterrence against the dissemination of prohibited information on the Internet under the existing legislation on administrative offenses and the law of the prosecutor’s office.

Prosecutor General’s Office warnings to journalists and social media users – comments on recent cases

Detecting dissemination of prohibited information on the Internet and taking non-criminal measures against it is carried out (in the order of checking the information on the violation of the law) by the department for Non-Criminal Prosecution of the Prosecutor General’s Office of Azerbaijan.

In recent months, there have been numerous reports in the media about some social media users, journalists, and news websites receiving warnings or handing administrative offenses in case materials, submitted to the courts by the Prosecutor General’s Office.

Example 1:

On April 1, 2022, the Prosecutor General’s Office warned two online media platforms for spreading inaccurate information. According to the Press Service of the Prosecutor General’s Office, “gazet.az” and “manset.az” published inaccurate information on March 31, 2022, about an incident in which as a result of collapsed school building some 20 people died, and many more were injured in Nakhchivan, thus violating the requirements of the Laws of the Republic of Azerbaijan “On Information, Informatization and Protection of Information”, as well as “On Media”.

But neither of the laws prohibit the spread of inaccurate information, nor do these laws define what inaccurate information is. The vagueness of the terminology however does allow the law enforcement authority to define any kind of views, and comments as “inaccurate information” and take punitive or deterrent legal action against them.

Example 2:

According to the press service of the Prosecutor General’s Office dated January 24, 2022, the Prosecutor General’s Office of the Republic of Azerbaijan continued to take preventive measures against the placement of prohibited information by law on the Internet, for the purpose of ensuring information security.

The press service then referred to five social media users who received warnings and one person who was detained on the grounds of putting pressure on democratic institutions, disrupting the activities of government agencies, making calls that would result in the governance decline in the country, as well as posting insulting or defamatory information on Facebook thus violating Article 13-2.3.9 of the law on the information.

However, Article 13-2.3.9 of the Law on Information, Informatization, and Protection of Information cited by the Prosecutor General’s Office only prohibits the dissemination of “information that is insulting or slander, as well as infringing on the privacy of private life.” The law does not prohibit the information that could be characterized as putting “pressure on democratic institutions”, “disrupting government agencies”, or “calling to reduce the level of governance in the country” on the list of prohibited information.

Example 3:

On December 21, 2021, Prosecutor’s office issued a warning to the principal of a high school, who was interviewed about the suicides among students. The Prosecutor’s office said the information shared by the school principal qualified as prohibited content, and thus was unacceptable to spread.

The Prosecutor General’s Office did not reveal further details about the case and specifically what parts of the principal’s interview violated the rules about the information on suicide. Article 13-2.3.8 of the Law on Information only prohibits the information that “promotes suicide as a method of solving problems, justifies or incites suicide, explains the methods of committing suicide or information to organize the suicide of several people in a group.”

Example 4:

On December 28, 2021, Prosecutor’s office issued a warning to 5 social media users for violating Article 13-2 of the Information law by spreading the information without citing certain facts and sharing biased information aimed to stir sensation in the society. The prosecutor’s office further urged social media users and journalists “to refrain from disclosing inaccurate and distorted information,” warning “that the most serious measures would continue against the spread of biased and misleading information in society.”

Similar, non-criminal legal action (i.e., warning) by the Prosecutor’s Office was made on November 21, 2021, against some media and social network users. The Prosecutor General’s Office initiated a violation of an administrative offense under Article 388-1.1.1 of the Code of Administrative Offenses and sent the case to the relevant court for consideration. In addition, three other people were warned by the prosecutor. The Prosecutor General’s Office further urged more serious measures in accordance with the relevant legislation, including criminal liability against media and social network users who disseminate false and inaccurate information in order to create artificial agitation.

However, Article 13-2 of the information law does not prohibit information of a “sensational” nature or for not basing information “on concrete facts” or sharing “various biased information.”

Legal commentary on warning acts issued by the Prosecutor General’s Office

As noted above, although formal warnings are defined as a type of prosecutorial act, they do not explicitly determine the concrete legal consequences for the persons receiving these warnings. As such, it is possible to determine from existing cases that these warnings issued by the prosecutor’s office are announced after alleged perpetrators are called in for questioning.

It is also possible to determine that inviting the alleged perpetrator to the prosecutor’s office is done for the purpose of signing the warning act, as a way to consent and/or admit to violating the law and not repeating it again. This was reflected in the case of journalist Avaz Zeynalli* who after being called in for questioning refused to sign the issued warning. In such cases (when the warned entity does not sign the warning) it does not remove or cancel the warning. Also worth noting is that there are no specific points mentioned in the existing legislation about measures leveled against entities who refuse to sign the warnings.

Finally, while these official warnings are carried out as preventive measures against violating existing legislation the procedural action itself is prescribed neither in the criminal law nor in the Code of Administrative Offenses. And according to the Supreme Court of the Republic of Azerbaijan, “warnings” must be examined within the framework of administrative proceedings by the administrative courts. As such, the court clearly states, that warnings are issued within the framework of administrative proceedings, the prosecutor’s office functions as a law enforcement authority and has the authority to summon the individual to introduce the warnings. Such instances of summoning and conversations are apparently mandatory and carried out by the Prosecutors like “procedural coercive measures” indicated in the Criminal Procedure Code. Nevertheless, once again, it is important to note that the warning(s) is not a sanction within the meaning of criminal law and administrative offenses law and therefore prosecutor’s office shall not apply procedural coercive measures in the absence of any offense.

*The decision of Supreme Court of the Republic of Azerbaijan, № 2-1(102)-134/2019, 14.05.2019, Avaz Zeynallı v.Chief Prosecutor’s office.

Conclusion

What the cases above illustrate is that there is a problematic and overbroad application of legal measures against social media users, journalists, and media in Azerbaijan. The examples further indicate the application of restrictive information law (which includes vaguely defined grounds to restrict free speech) against free speech on the internet and its likelihood of violating freedom of speech and media freedom standards.

Social media users, journalists, and media may argue that government regulations and their overbroad application by the Prosecutor General’s Office impermissibly infringe their freedom of speech guaranteed under the Constitution and international conventions to which Azerbaijan is a party.

Furthermore, there are almost no reports of domestic courts rejecting petitions by the prosecutor’s office against people’s rights to exercise their right to freedom of speech online, creating additional concerns about the absence of effective judicial and other remedies against the arbitrary use of domestic legislation against speech freedom rights.

As mentioned in the analysis above, one of the main challenges is that in its current form, the law on Information as well as the Code of Administrative Offenses provides vaguely defined grounds which are then used by the Prosecutor General’s Office with wide and arbitrary discretion, and at times, in the absence of any clear citing of the permissible grounds in the law. Such interference with freedom of speech is not compatible with the international standards which require that the restrictions on freedom of speech are clearly defined and concisely envisaged in the law and pursue legitimate aims as prescribed in national laws.

An analysis of most of the above cases shows that the Prosecutor General’s Office and the domestic courts interfere in freedom of expression without the proper legal grounds required for such interferences. The content of the impugned remarks characterized by the Prosecutor General’s Office and domestic courts as false, inaccurate, aimed to create a sensation, or to put pressure on the government and democratic institutions is not explicitly mentioned in the Law on Information, Informatization, and Information protection. This is against international standards which require that the national authorities intervening in the freedom of expression must have a basis in national laws (as a rule, this would mean a written and public law adopted by parliament), as well as must demonstrate sufficient reasons for justifying the interference and carefully balancing the applicants’ right to freedom of expression with the other permissible (legitimate) grounds

Azerbaijan is obligated to protect the right to freedom of expression, including the right to seek, receive, and impart information both online and offline, including on public health. International human rights treaties, including the International Covenant on Civil and Political Rights (Article 19) and European Convention on Human Rights (Article 10) permit restrictions on freedom of speech only if they are provided for by law, are strictly necessary and proportionate to achieving a legitimate aim.

Considering the increased scope of the legal harassment, it would be fair to conclude that such a large-scale punitive and deterrent legal measures against freedom of expression by law enforcement authorities is aimed at silencing legitimate criticism, discouraging citizens from expressing their views, and further suffocating the freedom of expression on the Internet.

The Pegasus Project and Azerbaijan – what does domestic legislation tell us about privacy of users in Azerbaijan

Posted on July 29, 2021 by aiw_admin

This is part four in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression. We dedicate this report to the recent Pegasus Project investigations.

Background

Members of opposition political parties, independent journalists, political and human rights activists have long faced systematic pressure and persecution orchestrated by the government of Azerbaijan. The unprecedented crackdown against civil society that began in 2013, marked a new chapter, in the history of Azerbaijan’s civil society. One, marred by arrests and prosecution of high-profile activists, rights defenders, and journalists.

This systematic pressure and harassment were not only offline. It was only a matter of time, that the internet too would become a place to target activists, journalists, and human rights defenders, holding them accountable for their online criticisms on bogus accusations that often ended with lengthy jail sentences, forced apologies on public televisions (see The State of Internet Freedom in Azerbaijan report), detentions and further forms of persecution.

In a country where almost all avenues for freedom of expression and activism were eliminated, the internet, specifically online media platforms, and social media networks became new targets. To monitor discussions online, prevent citizens from accessing independent news online, or social media platforms, and to further curb freedoms online, the government of Azerbaijan embarked on a shopping spree, becoming a client of companies selling sophisticated surveillance equipment and technology.[1]

By 2021, the government of Azerbaijan has successfully deployed a Remote Control System (RCS), Deep Packet Inspection (DPI), phishing, and spear-phishing attacks often with homegrown malware. The most recent addition to a wide variety of authoritarian technology deployed in Azerbaijan is Pegasus spyware.

The Pegasus Project

On July 18, 2021, an international consortium of more than 80 journalists from 17 media outlets revealed the Pegasus Project. Spearheaded by Forbidden Stories, a Paris-based journalism non-for-profit, with technical support of Amnesty International Security Lab, the Pegasus Project is a global investigation into an Israeli surveillance company, the NSO Group, and it’s most sought after hacking software called Pegasus.

According to the investigation, the NSO Group sold Pegasus to at least ten government clients including in Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Azerbaijan, Rwanda, Saudi Arabia, and the UAE. Among the targets were journalists, human rights defenders, political opponents, business people, and heads of state.

“Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance,” wrote Forbidden Stories sharing the findings of the investigation.

On the leaked phone records, at least 1000 were identified as belonging to users from Azerbaijan. One of the media partners in the investigation, the Organized Crime and Corruption Reporting Project (OCCRP) took on to investigate numbers that belonged to users in Azerbaijan, Kazakhstan, and Rwanda.

So far, OCCRP was able to identify 250 phone numbers targeted, which belonged to reporters, [2] editors, media company owners, activists, human rights defenders, and their family members. As of July 27, OCCRP confirmed at least 80 cases of the alleged surveillance.[3]

Following the release of the investigations, international organizations, such as Reporters Without Borders, said they will pursue legal action against those responsible for this massive surveillance.[4] In Azerbaijan, some of the targeted individuals intend to appeal to local courts and then to the European Court of Human Rights, on the grounds of infringements of their right to private life.[5]

While law enforcement authorities in Hungary[6], Israel[7], France[8], the USA[9], and Algeria[10] have launched probes into suspected unlawful surveillance via Pegasus spyware, the Azerbaijani law enforcement agencies are yet to respond.

What chance do those targeted in Azerbaijan stand in pursuing legal action against the government of Azerbaijan? To answer this question, we look at the national legislation enabling the government to carry out surveillance en masse and citizens’ rights to privacy. Read the PDF report here.

Domestic framework

The right to private life is under the protection of comprehensive constitutional provisions, namely Article 32 of the Azerbaijani Constitution which guarantees that everyone has the right to the inviolability of private[11] and family life, including with respect to correspondence, telephone communications, post, telegraph messages and information sent by other means of communication. Article 32 further states that gaining, storing, using, and spreading information about the person’s private life without his/her consent is not permitted. These rights may be restricted, as prescribed by law, in order to prevent crime or to determine the truth in the course of the investigation of a criminal case. Section eight of article 32 also indicates that the scope of the personal information, as well as the conditions of their processing, collection, sharing, use, and protection, is prescribed by law.

In addition, there are normative legal acts recognizing the right to private life, including regulating the restrictions of private life in telecommunications networks.

While mentioning a catalog of rights for individuals in respect to the right to privacy[12], article 3 of the basic law on private data – the Law on Private Information,[13] stipulates that the rules for the collection and processing of personal data, concerning intelligence and counterintelligence, and operation-search activities are regulated by other respective legal acts (discussed below).

The Law on Private Information obligates the operators, to create necessary conditions for intelligence, counterintelligence, and search operations in accordance with the legislation, to guarantee relevant organizational and technical issues, and comply with the confidentiality of the methods used to conduct these activities.[14]

Along with the Law on Personal Data, the Law on Telecommunication also determines the powers of state bodies, notably subjects of intelligence and counterintelligence search operations, to collect or intercept personal data from the telecommunication channels and networks.[15]

In Azerbaijan there are two types of oversight over citizens:

Extraction of information from telecom channels, i.e., interception; and
Surveillance

The Law on Operation-Search Activity overseas phone tapping and information extraction from communication channels.[16] Further, the third section of article 10 of the Law on Operation-Search Activity does not require a judicial act or supervision of higher authority while wiretapping and extracting information from technical communication channels unless there is a need to install technical devices such as voice, video, or photo recorders at the place of residence of the individuals.

In other words, anyone in Azerbaijan can be subject to such a form of oversight.

The Law on Telecommunication obligates network operators to install special equipment, provided by the State Security Service, Ministry of Internal Affairs, and Special State Protection Service onto the telecommunication networks[17] enabling the Government to extract (intercept) data on anyone regardless of whether that person(s) is part of an investigation process or not.

The installment of special equipment within communication networks is regulated by the “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities” issued by the Ministry of Transport, Communications, and High Technologies on June 14, 2016.[18] The Rule obligates telecommunication operators and providers to create technical conditions for the conduct of relevant activities within the communication networks.

The Rule defines that Telecommunication Control System (hereinafter – TCS) – is special hardware and software that provides confidential control over the exchange of information of subjects targeted by the relevant measures (such as search and operation, intelligence, and counterintelligence activities), as well as all statistical data of the network. TNS consists of data extraction facilities, transport networks, and control centers.

The Rule also indicates that relevant measures in the communication networks are carried out in accordance with the requirements of the laws of the Republic of Azerbaijan “On Operation-Search Activity” and “On Intelligence and Counterintelligence Activity”.[19]

However, while the Law on Operation-Search Activity may allow secret surveillance and seizure of private information, there are no rules or procedures within the national legislation for secret surveillance and intercepting information by government agencies. There are also no clearly defined rules on determining the grounds for such surveillance and interception activities, their duration, and whether such activities can be stopped by a court or other higher state authority.

Further, when analyzing the national legislation, it becomes clear, that a number of rules about the organization of search operations by law enforcement agencies, as well as the placement of surveillance and tapping devices within the telecommunication infrastructure have not been published. For example, the “Rules for ensuring information security in the implementation of search operations in communications networks” approved by Presidential Decree No. 638 on October 2, 2015, is not disclosed.[20]

As mentioned, earlier, interference with the right to personal data within telecommunication networks is carried out by the representatives of the search and operation, intelligence, and counterintelligence authorities. The technical and organizational conditions for the provision of the search operation, intelligence, and counterintelligence activities within communication networks are determined by the State Security, and in cases where relevant to the Ministry of Internal Affairs, together with the Special State Protection Service of Azerbaijan.

Infringement of privacy is prohibited under the Criminal Code (Article 156). Illegal collection of information, documents containing such information, visual materials, audio recordings, as well as their sale or transfer to another person is punishable by a fine in the amount of 1,000 to 2,000 AZN (approximately 600-1200USD); by public works ranging from 240 to 480 hours; or by correctional labor for up to one year. In cases where the same offense was/is committed by an official using his/her official status, the crime is punishable by restriction of liberty for a period of up to two years or by imprisonment for a term of up to two years with or without deprivation of the right to hold a certain position or engage in certain activities for up to three years.[21]

The Criminal Procedural Code provides that the investigation of the infringement of privacy is carried out in the form of a public-private prosecution upon the complaint of the victim or by the initiative of the prosecutor when the committed crime affects the interests of the state or society.[22]

Compliance with international standards

The right to protection of personal data is not an autonomous right among various rights and freedoms covered by the Convention. The Court has nevertheless acknowledged that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

According to the Court’s established case-law, the requirement that any interference must be “in accordance with the law” will only be met when three conditions are satisfied: the impugned measure must have some basis in domestic law and, with regard to the quality of the law at issue, it must be accessible to the person concerned and have foreseeable consequences.[23]

Non-availability of any official information or confirmation on the scope and form of the surveillance and interception of mobile devices through the Pegasus spyware may also raise specific issues concerning the difficulties on recognizing the victims’ status within the framework of national laws.

However, the relevant case-law of the ECtHR is relatively flexible on the subject of recognition of the victim’s status. The ECtHR, therefore, accepts that an individual could, under certain conditions, claim to be the victim of a violation occasioned by the mere existence of secret measures or of legislation permitting secret measures, without having to allege that such measures had been in fact applied to him or her.[24]

Further, considering that domestic legislation does not require any judicial act or does not provide any independent oversight over the interferences to the right to privacy, there is little information about the form and scope of the interception and surveillance of individuals’ privacy within telecommunications networks in Azerbaijan. This is also contrary to the well-established standards of the ECtHR concerning the issue of personal data collected by means of various methods of secret surveillance. The fact that various government institutions are vested with powers and authority – as provided by domestic laws — to listen to anyone at any time on telecommunication networks, in itself does not meet the requirements of the qualitative law enshrined in the case-law of the European Court.

The ECtHR considers the requirements of the Convention, notably in regard to foreseeability, to not be exactly the same, in the special context of interception of communications for the purpose of police investigations.

According to the ECtHR case law, the Convention’s “quality of law” concept, requires, that domestic laws – notably those allowing state interference with rights and freedoms – satisfy the requirements that domestic laws, should be sufficiently accessible and foreseeable.

The requirement of foreseeability means that the national law must be sufficiently clear in its terms, in order to give citizens an adequate indication of the circumstances and conditions for which public authorities were empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence. Consequently, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, and to give the individual adequate protection against arbitrary interference (Malone v. the United Kingdom, 2 August 1984, §§ 67 and 68, Series A no. 82. See also Kennedy v. the United Kingdom, op. cit., § 152).[25]

In this regard, within the framework of the European Court’s supervision function under the Convention’s standards, the ECtHR’s authority to verify the compliance of online surveillance regimes with the Convention’s standards would provide effective protection.

In recent Grand Chamber judgment in the case of Big Brother Watch and Others v. the United Kingdom (application nos. 58170/13, 62322/14 and 24969/15) the ECtHR held unanimously, that there had been a violation of Article 8 of the European Convention (right to respect for private and family life/communications) in respect of the regime for obtaining communications data from communication service providers noting that assessment of interceptions and obtaining of private information from the telecommunications networks should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorization at the outset when the object and scope of the operation were being defined; and that the operation should be subject to supervision and independent ex post facto review.

We conclude, that based on the above analysis of the loose interpretation and at times overt national legislation, it is important to take these cases of surveillance and interception to the ECtHR for the purpose of assessing the country’s legal framework and its (in)applicability with the ECtHR’s case law.

[1] Internal company documents show Azerbaijan’s Ministry of National Security purchased Hacking Team’s Remote Control System (RCS) surveillance spyware via a California-based intermediary called Horizon Global Group in 2013 for an initial payment of €320,000. https://www.occrp.org/en/daily/4136-azerbaijan-bought-hacking-team-s-surveillance-spyware-leaks-reveal

[2] Turan, Pegasus has been spying on Azerbaijani journalists and activists over years, July 19, 2021, https://www.turan.az/ext/news/2021/7/free/politics_news/en/5975.htm/001

[3] OCCRp, People Selected for Targeting by Azerbaijan,

https://cdn.occrp.org/projects/project-p/?_gl=1*rnxzxn*_ga*MjEyNTY0MTgzMS4xNjI3NDE1OTE1*_ga_NHCZV5EYYY*MTYyNzQxNTkxMy4xLjEuMTYyNzQxNTkyNy40Ng..#/countries/AZ

[4] Turan, The organization in defense of press freedom “Reporters without Borders” is outraged by the fact that 200 journalists from 20 countries are being spied on with the help of the Israeli spy system Pegasus, July 2021, http://www.turan.az/ext/news/2021/7/free/politics_news/en/6042.htm/001

[5] Voice of America, Interview with Bakhtiyar Hajiyev, July 20, 2021, https://www.amerikaninsesi.org/a/bəxtiyar-hacıyev-avtoritar-rejimlər-hətta-ən-yaxın-çevrəsinə-güvənmir/5972455.html

[6] Al Jazeera, Hungary prosecutors open investigation into Pegasus spying claims, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/hungary-prosecutors-open-investigation-into-pegasus-spying-claims

[7] Al Jazeera, Israel launches commission to probe Pegasus spyware: Legislator, July 22, 2021, https://www.aljazeera.com/news/2021/7/22/israel-launches-commission-to-probe-pegasus-spyware-legislator

[8] Euractive, France launches investigation into Pegasus spying allegations, July 22, 2021, https://www.euractiv.com/section/cybersecurity/news/france-launches-investigation-into-pegasus-spying-allegations/

[9] Reuters, FBI probes use of Israeli firm’s spyware in personal and government hacks – sources, July 22, 2021, https://www.reuters.com/article/us-usa-cyber-nso-exclusive-idUSKBN1ZT38B

[10] The Star, Algeria launches probe into Pegasus spyware claim, July 22, 2021, https://www.thestar.com.my/tech/tech-news/2021/07/23/algeria-launches-probe-into-pegasus-spyware-claim

[11] Constitution of the Republic of Azerbaijan, https://static2.president.az/media/W1siZiIsIjIwMTgvMDMvMDkvNHQzMWNrcGppYV9Lb25zdGl0dXNpeWFfRU5HLnBkZiJdXQ?sha=c440b7c5f80d645b

[12] According to article 7 of the Law on Personal Data, individuals have the right to require a legal justification for the collection, processing, and transfer of their personal information to third parties, and information on the legal consequences for the subject of the collection, processing, and transfer of such information to third parties; to get acquainted with the content of personal information collected about himself/herself in the information system; to learn the purpose, the period and methods of collecting and processing personal information about himself/herself; to demand clarification and destruction of personal data collected and processed in the information system, except for the cases established by the legislation; to demand a ban on the collection and processing of personal data about himself/herself and etc.

[13] Law on Private Data, http://e-qanun.az/framework/19675

[14] Article 10.5, Law on Personal Data

[15] Article 39, Law on Telecommunication (article 10.5 of the Personal Data is repeated in article 39 of the Law on Telecommunication)

[16] Article 10, Law on Operation-Search Activity, http://e-qanun.az/framework/2938

[17] Under the Telecoms Law and the conditions of telecom licensing and registration, telecom operators and providers must cooperate with the law enforcement authorities and install special equipment and software programmes allowing them access to information under the undisclosed technical rules adopted by the Presidential order on October 2, 2015. The Law on Telecommunication, article 39., Paragraph 1 of the article states: “operators, providers are obliged to create conditions for conducting search operations, intelligence and counter-intelligence activities in accordance with the law; to provide telecommunications networks with additional technical means in accordance with the conditions established by the relevant executive authority; to resolve organizational issues, and to keep secret the methods used in conducting these events.” Paragraph 2 of the article states: “The operator, the provider shall be liable for the violation of these requirements in accordance with the law.”

[18] http://e-qanun.az/framework/33275

[19] Article 1.5.7. “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities”, issued by the Ministry of Transport, Communications and High Technologies, June 14, 2016

[20] The Presidential Decree No. 638, October 2, 2015, http://e-qanun.az/framework/30840

[21] The Criminal Code of Azerbaijan, http://e-qanun.az/framework/46947

[22] The Criminal Procedure Code of Azerbaijan, http://e-qanun.az/framework/46950

[23] Kennedy v. the United Kingdom, op. cit., § 151; Rotaru v. Romania, op. cit., §52; Amann v. Switzerland, op. cit., § 50; Iordachi and Others v. Moldova, op. cit.; Kruslin v. France, § 27; Huvig v. France, § 26; Association for European Integration and Human Rights and Ekimdzhiev v. Bulgaria, op. cit., § 71; Liberty and Others v. the United Kingdom, op. cit., § 59, etc.

[24] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, para., 9., https://rm.coe.int/168067d214

[25] National security and European case-law, Council of Europe / European Court of Human Rights, 2013, page 2, https://rm.coe.int/168067d214

Azerbaijan to license online TV channels

Posted on June 19, 2021 by aiw_admin

In January, 2021, Az-Net Watch covered the new legal development concerning media freedom environment in Azerbaijan. At the time, it was announced, that a newly established Azerbaijani Agency for Media Development will replace, marred by corruption allegations, the State Support Fund for Mass Media Development and that a new media law was drafted by the Administration of the President for the President’s review in two months. Six months down the line, the draft media law, is finally set for review, albeit much to the disappointment of freedom of the media advocates and media practitioners in Azerbaijan.

According to Azadliq Radio report, the new law, entails licensing the Internet television and radio broadcasting. The proposal spearheaded by the National Television and Radio Council (NTRC) was announced on June 17.

Specifically the draft law states that:

1) the online channel must have its own website and broadcast from this site;

2) the online channels must broadcast for not less than 6 hours as determined by the proposed new draft bill.

In addition, the Agency for the Development of Mass Media would register online news sties and news agencies.

When Turan News Agency reached out to the NTRC for a comment, the Council refuted the claims that the draft bill mentioned the Internet TV. Similarly, when the agency asked the newly created Agency for Media Development, the agency said, it had no information of such requirement mentioned in the bill. And yet, it was the NTRC that told state news agency APA about the draft bill according to Azadliq Radio report.

Several independent experts, said if true, the new bill and specifically the proposal about licensing, violate Article 10 of the European Convention on Human Rights and norms enshrined in Azerbaijan’s Constitution.

Addressing the controversial new bill, a media law expert, Alasgar Mammadli, said in addition to contradicting Article 10 of the Convention the license requirement can only be applied to broadcasters using frequency transmissions which is not the case for Internet television. In another interview, Mammadli said, “Only during the broadcast, there should be compliance with the general law, which is currently regulated by the Law on Mass Media, Criminal Law, and other laws. There are no gaps, and there are even unnecessary regulations (restrictions).”

Another legal expert, Khaled Aghaliyev, evaluating the bill in a post on social media platform Facebook said, “It was clear that the government, which promised progressive reforms in the legal regulation of the media, worked harder than ever on reactionary regulatory mechanisms.” Aghaliyev said, in all likelihood, the lawyers working on “progressive regulations” took it upon themselves to interpret one specific sentence of Article 10 word for word. That sentence, notes Aghaliyev says, “This Article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.” “But they [lawyers] thought wrong. The mentioning of that licensing applies only to traditional television, and radio. Therefore, the part of the new bill that we know of, is reactionary, binding freedom of expression. It does not comply with our constitutional norms or the European Convention.”

Stressing the importance of adopting a new media law, Aghaliyev instead offers a different approach. “The government should share the full text of the new draft law and let the civil society prepare an alternative. The two drafts should then go to the Council of Europe experts. Let the Council decide and adopt the one recommended instead.” [A similar initiative took place in 2017 when Azerbaijan’s civil society submitted an alternative analysis of the law on access to information as part of the Good Governance partnership].

Screen shot from the report “Compliance of the Republic of Azerbaijan with the International
Covenant on Civil and Political Rights”. The full report can be accessed here: https://tbinternet.ohchr.org/Treaties/CCPR/Shared%20Documents/AZE/INT_CCPR_CSS_AZE_25228_E.pdf

An attempt to license online television was previously discussed in 2010, 2011, 2012, 2016. Over the past decade, the national lawmakers suggested regulating social media platforms on several occasions as well. In March 2017, Azerbaijani lawmakers approved legislation tightening rules for Internet use. Shortly after, scores of independent and opposition news websites were blocked inside Azerbaijan for access.

*”National Television and Radio Council (NTRC) of Azerbaijan, was established by decree № 794 of the President of Azerbaijan Republic dated October 5, 2002 to ensure the implementation and regulation of state policy in broadcasting sector. The objective of the Council is to regulate the activity of television and radio companies, protect interests of the public during the broadcast, and control the observance of legislation on broadcasting.”

Legal analysis of a COVID tracing app released last year in Azerbaijan

Posted on June 8, 2021 by aiw_admin

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021.

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day.

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology.

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights. Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy.

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike.

Azerbaijan’s desire to regulate online hate speech: What problems should Azerbaijan fix first?

Posted on April 7, 2021April 13, 2021 by aiw_admin

This is part two in a series of detailed reports and analyses on existing legal amendments and new legislation affecting freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.

Background

On September 17, 2020, Zahid Oruc, member of the parliament and the head of the Human Rights Committee at the National Parliament, suggested parliament adopts a new law on hate speech. At the time, Oruc said the main goal was to prevent hate speech in the information space, possibly with the inclusion of social media platforms [several members of the parliament and government representatives have stressed that social networks should be regulated by law in Azerbaijan in recent years]. While stressing the urgency in adopting such a law, Oruc failed to address the exact nature of this urgency. In addition, likely in response to a possible backlash from the independent lawyers and civil society in Azerbaijan the MP said, the new bill, cannot be viewed “as a document against freedom of speech and expression”. Nevertheless, much of the responses that came following this announcement, were critical of the proposal especially in light of the legal context where plenty of other existing laws and procedures already address hate speech in one form or another.

In January 2020, the discussion on adopting the bill on hate speech was back on the agenda. Speaking at the first meeting of the spring session of the Parliamentary Committee on Human Rights the chairman of the committee Zahid Oruj noted that the spring session will focus on the analysis of world experience in the field of defamation and “hate speech” legislation.

But what about the analysis of Azerbaijan’s experience in the field of defamation?

In Azerbaijan, a number of conceptual elements of hate speech are envisaged in the different normative legal acts, including in the Code of Administrative Offences, Criminal Code, the law on Information, informatization and protection of information and Law on Mass-Media. In other words, several Azerbaijani laws include measures that are designed to address unacceptable online content (including hate speech), ranging from removing content, and making content temporarily inaccessible on the information-telecommunication network.

According to Article 47 of the Constitution of the Republic of Azerbaijan, everyone has the right to freedom of thought and speech. Agitation and propaganda, inciting racial, national, religious, social discord and animosity, or relying on any other criteria is inadmissible. Azerbaijan has also ratified the European Convention on Human Rights (hereinafter “ECHR”) where Article 10 provides that everyone has the right to freedom of expression.

Azerbaijan’s history is rich with examples where existing laws, were abused to restrict freedom of expression, and the national legislation so far failed to comply with international human rights standards with respect to the safety of the media workers or citizens who exercise their right to freedom of expression. That and the lack of independent judicial oversight over the restrictions to freedom of expression and thought post additional challenges in a current environment.

In 2017, when changes were made to the law on combating religious extremism, two prominent members of the Popular Front Party were arrested relying on the existing legislation, even though it was clear, it was a setup, as neither of the activists had any religious affiliation. In January 2017, a Baku court convicted senior opposition Popular Front member Fuad Gahramanli to 10 years in jail for inciting religious and ethnic hatred. Gahramanli was known for his criticisms of the government on Facebook. In July 2017 a court convicted Faig Amirli, another Popular Front member and financial director of the now-closed pro-opposition Azadlig newspaper, on bogus charges of inciting religious hatred and tax evasion. Amirli was handed a suspended sentence.

Four out of seven alerts in 2019 related to detention. Despite the March 2019 release of some wrongfully imprisoned journalists, including anti-corruption blogger Mehman Huseynov, the detention and harassment of journalists continue to this day.

During the height of the pandemic in Azerbaijan, the parliament introduced a series of amendments to existing laws that were then used to prosecute activists. Scores of activists were rounded up, including members of the opposition Popular Front [some of these arrests were captured here].

The government of Azerbaijan has consistently ignored the international calls, including the judgments of the European Court of Human Rights (ECtHR) requiring Azerbaijan to reform its domestic legislation with respect to freedom of expression and media rights in order to ensure that it is in line with the international standards. Instead of reforms, the government of Azerbaijan has aggravated the criminal liability for defamation and expanded the scope of the criminal liability to the online spaces (2016 amendments to the Criminal Code), adopted a criminal liability for extremist views on vague grounds, and established administrative liability for spreading false information.

These developments were contrary to the ECtHR’s findings in the Fatullayev, Mahmudov, and Agazade v. Azerbaijan cases (2008) where the Court found that application of provisions of the criminal law on defamation had been contrary to Article 10 of the Convention and the Council of Europe calls to the Member States that prison sentences for defamation should be abolished without further delay [Resolution 1577 (2007) of the Parliamentary Assembly, Towards decriminalization of defamation, to which the Strasbourg Court has referred on a number of occasions].

The country’s poor ranking on most of the rights and freedoms indexes attest to the grave reality in the country. It was also reflected in a statement issued following the Council of Europe Commissioner for Human Rights Dunja Mijatović’s visit to Azerbaijan in July 2019 where the Commissioner said, “Freedom of expression in Azerbaijan continued to be under threat”.

The key state obligations while regulating the online hate speech and general concerns for the Azerbaijani context

Despite the term “hate speech” widely used in legal, policy-making, and academic circles, there is often disagreement about its scope and about how it can best be countered [Dr. Tarlach McGonagle. The Council of Europe against online hate speech: Conundrums and challenges, p. 3.]

There is no international legal definition of hate speech, and the characterization of what is ‘hateful’ is controversial and disputed. However, in 1997 the Committee of Ministers of the Council of Europe adopted a Recommendation (No. R (97) 20) on hate speech which stated the term (non-binding) “shall be understood as covering all forms of expression which spread, incite, promote or justify racial hatred, xenophobia, anti-Semitism or other forms of hatred based on intolerance, including intolerance expressed by aggressive nationalism and ethnocentrism, discrimination and hostility against minorities, migrants and people of immigrant origin”.

In its case law the European Court of Human Rights, without adopting a precise definition, has regularly applied this term to forms of expression that spread, incite, promote or justify hatred founded on intolerance, including religious intolerance.

Key concerns for the abusive application of the hate-speech regulations

There have been growing concerns in many countries that hate speech regulations (both online and offline) are often misused or result in a violation of freedom of thought and expression. To this end, many international human rights organizations have often emphasized raising concerns on this matter and issued general recommendations, and developed standards for the regulation of hate speech to ensure that such regulations are in line with international human rights standards.

As noted, hate speech has threatened freedom of expression in many countries. Despite the importance “to prevent all forms of expression which spread, incite, promote or justify hatred based on intolerance …,” [Erbakan v. Turkey judgment of 6 July 2006, § 56] the presence of hate speech constitutes a serious threat for the freedom of expression in the process of potentially limiting the expression as such.

On May 13, 2020, Freedom of expression organization ARTICLE 19 has warned that France’s new “Avia” Law, will threaten freedom of speech in France. When a draft bill on hate speech was discussed in France, “the French government has ignored the concerns raised by digital rights and free speech groups, and the result will be a chilling effect on online freedom of expression in France”. Consequently, on June 18, 2020, the French Constitutional Council (Conseil constitutionnel) the highest constitutional authority in France, declared that the majority of the Law on Countering Online Hatred, more commonly known as the Avia Law, was unconstitutional. This declaration rendered the key provisions in the law invalid. In its decision, the Constitutional Council held that certain provisions infringe “on freedom of speech and communication, and are not necessary, appropriate and proportionate to the aim pursued”.

The international human rights law provides that states may restrict freedom of expression (only) where provided by law with the condition to meet the principles of legality or necessity and proportionality.

Alongside these principles, an effective judicial review is needed to prevent any abuses of laws capable to restrict freedom of expression. The judicial review of such a measure, based on a weighing-up of the competing interests at stake and designed to strike a balance between them, is inconceivable without a framework establishing precise and specific rules regarding the application of preventive restrictions on freedom of expression [Ahmet Yıldırım v. Turkey, § 64; Cengiz and Others v. Turkey, § 62, which concerns the freedom to receive and impart information and ideas; see also OOO Flavus and Others v. Russia, §§ 40-43]. Furthermore, in some cases, for determining the proportionality, the ECtHR assesses the quality of the parliamentary and judicial review of the necessity of the measure [Animal Defenders International v. the United Kingdom [GC], §§ 108-109].

The First and foremost among these safeguards is the guarantee of review by an impartial decision-making body that separate from the executive and other interested parties.

The UN Special Rapporteur notes that “any restriction imposed must be applied by a body that is independent of political, commercial or other unwarranted influences in a manner that is neither arbitrary nor discriminatory, and with adequate safeguards against abuse” (A/67/357, para. 42).

This is not the case in Azerbaijan. For instance, the Ministry of Communications and Information Technologies is the main body regulating the internet in Azerbaijan, something that experts have called to change and share this role with an organization that is not under state control. The ICT market is also fairly concentrated in the hands of the government.

In its report (A/74/486, 9 October 2019), the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression evaluates the human rights law that applies to the regulation of online “hate speech” and notes that any restriction – and any action taken against speech should meet the conditions of legality, necessity, and proportionality, and legitimacy [Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/74/486, 9 October 2019), para. 20] and to establish or strengthen independent judicial mechanisms to ensure that individuals may have access to justice and remedies in case of restrictions. The Special Rapporteur further notes that “as a first principle, States should not use Internet companies as tools to limit expression that they themselves would be precluded from limiting under international human rights law. [para, 29]. In the meantime, the same Recommendation envisages a principle [third principle] that requires from the governments that interference with freedom of expression, in the context of combating hate speech, are narrowly circumscribed and applied in a lawful and non-arbitrary manner on the basis of objective criteria and must be subject to independent judicial control.

In addition to discussions on adopting the law on Hate Speech, there are also plans to adopt a new law on Media at the moment. The consistent view of the government to regulate social networks with the “hate speech” law poses an additional risk to the systematically undermined freedom of expression in Azerbaijan. There is no guarantee that Azerbaijan’s government will not use lex ferenda regulations as a tool of oppression against its political opponents and civil society.

Without genuine consultations with civil society organizations, independent journalists, disregarding the constant calls of the human rights organizations and ECtHR judgments to reform the domestic laws to remove irrelevant and restrictive frameworks over freedom of expression, new hate speech, and media laws should be taken into account as a serious concern [Dr. Tarlach McGonagle. The Council of Europe against online hate speech: Conundrums and challenges, p. 29].

Instead of addressing the systematic shortcomings, in particular, rendering the restrictive legal frameworks in the sphere of freedom of conscience, freedom of expression and thought, and internet freedom, the government of Azerbaijan continues to add more restrictive regulations into its legislation that is likely to undermine last remnants of the freedom of expression – the online spaces.

In addition, while in a hurry to pass restrictive legislation against freedom of expression, the government of Azerbaijan remains inactive when it comes to the effective investigation of the smear campaigns and hateful attacks against minority groups, such as LGBTQ- communities, and feminists.

Finally, having reviewed the current environment of repression and crackdown, and specifically, in the absence of effective judicial oversight and a fully independent regulatory body accountable to the public, it can be concluded that there is no urgency for any new regulations at the moment in Azerbaijan.

Restrictive new bills sweep freedoms under the carpet [part 1]

Posted on January 11, 2021January 18, 2021 by aiw_admin

This is part one in a series of detailed reports and analysis on existing legal amendments and new legislation affecting freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.

In March of last year, AIW shared an update about amendments to an existing bill on Information provisions, Informatization, and Protection of Information and Code of Administrative Offences of the Republic of Azerbaijan. Now, let’s take a closer look at these amendments and what they entail.

Amendments to the Information Law

Amendments to an existing bill on Information provisions, Informatization, and Protection of Information extended the subjects – to users – of responsibilities for placement of prohibited information, including the “false information” on information-telecommunication networks.

This means that amendments establish the liability over the information-telecommunication network users to place prohibited content on the information-telecommunication networks;

The amendments also added an item to the list of prohibited content, forbidding the placement of false information: thus, prohibited information was considered “false information [yalan məlumatlar] in case it posed a threat to harm human life and health, cause significant property damage, mass violation of public safety, disrupt life support facilities, financial, transport, communications, industrial, energy and social infrastructure facilities or other socially dangerous consequences.”

In other words, if users placed content on the internet that might be considered false information capable to disrupt the functioning of state bodies or their activities it can be considered on the grounds of violating the existing law.

Amendments to the Code of Administrative Offences

During the same plenary meeting on March 17, 2020, an amendment to article 388-1 of the Code of Administrative Offenses (CAO) of Law No. 27-VIQD was also approved.

Article 388-1 of the CAO was aggravated with the penalty of up to one-month administrative detention with other sanctions against real or legal person owners of internet information resources and associated domain names as well as on users of information-telecommunication networks for the placement, or the violation of provisions of the Information Law aiming at preventing the placement, of prohibited information on such internet information resources.

With the amendments introduced to laws, users of the information-telecommunication network, owners of internet information resources, and domain names might be punished under Article 388-1 of the CAO. The penalty for the offense is a fine between 500 and 1000 manats (about US$294–$588) for real persons and 1000 to 1500 manats for officials, with an option of up to one month of administrative detention for both classes of persons depending on the circumstances and the identity of the offender.

Implementation of the Amendments (abuse of application)

Shortly after the amendments, police applied these provisions frequently against individuals, including political activists and journalists despite the call from the United Nations, Council of Europe, and OSCE expert bodies urging the authorities to address the disinformation in the first instance by relevant government institutions, providing reliable information and resorting to other restrictive measures, only where they met the standards of necessity and proportionality. This did not prevent authorities from targeting a number of activists and journalists in the following days.

On April 16, 2020, Human Rights Watch documented how Azerbaijani authorities abused quarantine restrictions allegedly to fight with disinformation while arresting opposition activists and silencing the government critics. HRW documented at least six activists and opposition journalists’ sentenced to detentions ranging from 10 to 30 days.

March 21, 2020, Ilgar Atayev was called in for questioning and charged with article 388.1 of the code of administrative offenses – sharing prohibited information on the Internet or Internet – telecommunication networks. According to Meydan TV, an independent online news platform, although Atayev informed that the charges against him were sent to court, he was not aware of the exact accusation. Authorities claimed at the time, Atayev, shared information on COVID without quoting official sources and that the shared information was false.

March 23, 2020, according to the Ministry of Internal Affairs’ press service, three people were administratively arrested for allegedly spreading misinformation about the coronavirus infection.

March 27, 2020, according to the Ministry of Internal Affairs’ press service, between March 26 and 27, 15 people were identified and summoned to the local police on the grounds of allegedly spreading misinformation about the coronavirus infection on social networks and WhatsApp instant messaging application. After the relevant investigations, police warned seven people, fined five, and sentenced three to administrative detention.

April 4, 2020, according to the Ministry of Internal Affairs’ press service, during the control measures carried out between April 1-2, one person was administratively arrested, and five people were fined for allegedly spreading false information about the coronavirus infection on social networks, including WhatsApp instant messaging application.

April 6, 2020, according to the Ministry of Internal Affairs’ press service, one person received a warning for allegedly spreading false information about the coronavirus infection on social networks, including WhatsApp instant messaging application.

Amid on-going arrests, detentions, and fines, on April 3, 2020, the Council of Europe Commissioner for Human Rights issued a statement noting that press freedom must not be undermined by measures to counter disinformation about COVID-19.

Analysis of the law

Content regulation rules and policies which presumably touch on the freedom of speech must meet the strict criteria under international and regional human rights law. According to the European Court of Human Rights jurisprudence, a strict three-part test is required for any content-based restriction.

The Court notes that the first and most crucial requirement of Article 10 of the Convention is that any interference by a public authority with the exercise of the freedom of expression should be lawful.

The second paragraph of Article 10 stipulates that any restriction on expression must be “prescribed by law”. Furthermore, any restrictions need to be necessary for a democratic society [See Sunday Times v. UK (No. 2), Series A no. 217, 26.11.1991, para. 50; Okçuoğlu v. Turkey, No. 24246/94, 8.7.1999, para. 43.] and the state interference should correspond to a “pressing social need”.[See Sürek v. Turkey (No. 1) (Application No. 26682/95), the judgment of 8 July 1999, Reports 1999; Sürek (No. 3) judgment of 8 July 1999.] The state response and the limitations provided by law should be “proportionate to the legitimate aim pursued” [See Bladet Tromsø and Stensaas v. Norway [GC], no. 21980/93, ECHR 1999-III.] Therefore, the necessity of the content-based restrictions must be convincingly established by the state [The Observer and The Guardian v. the United Kingdom, the judgment of 26 November 1991, Series A no. 216, pp. 29-30, § 59.]

The Law on Information, Informatisation, and Protection of Information (Law № 460-IQ)

In 2017, the Law (1998) was updated with a series of restrictive amendments, converting the Law from a technical regulation into a content regulation.

Primary concerns of the Law concerning content regulation:

Owner of the Internet information resource, including owners of the domain name, host, and internet providers bear a strict administrative liability to remove the content manifestly prohibited under article 13-2.3 within 8 hours of notice;

In urgent cases, [when the legally protected interests of the state and society are threatened or there is a real threat to human life and health requires to do] the internet information resource may be temporarily restricted on the basis of a decision of the regulatory body – Ministry of Transport, Communications and High Technologies [restriction is applied without a court order. Although an application is made to the court, the decision to close down the online information source remains in force until the court handles the case or the decision is annulled.]

In refusing to remove the content upon the government’s notice within the 9 hours, owners of internet information resources, owners of domain names, host, and internet providers will face a court sue with possible administrative sanctions.

Safeguards against removal and blocking procedures:

Article 13-3.1 of the law provides that the relevant executive authority (regulatory body) shall issue a warning to the owner of the Internet information resource and its domain name and the hosting provider in writing if it directly discovers cases of placement of prohibited information in the Internet information resource or identifies it based on substantiated information received from individuals, legal entities or government agencies;

Existing legislation and practice concerning content removal and blocking do not provide adequate safeguards against arbitrariness;

for instance, there is no requirement to inform the information resource owners, Internet and host providers or owners of other sites and their users before issuing the content removal warning, and failure to implement the warning leads to a penalty because the Code of Administrative Offenses provides for liability for both the posting of prohibited information and the failure to remove prohibited information posted on the Internet.

The Law on Information, Informatisation, and Protection of Information provide that warning about content removal is considered a mandatory requirement and that failure to obey is sanctioned under Article 388-1.1 of the CAO and possible court sue for block order.

Content removal and blocking procedures also lack transparency and fairness:

The law does not oblige the regulatory body to provide the information resource owners, internet and host providers, or other sites’ substantiated opinion reasoning for the content prohibited. In other words, the regulatory body and other state authorities can request to remove the content or block access to websites without any obligation to substantiate their demands.

Vague Terms and Quality Law Standards:

Sufficient clarity is the requirement of the quality law standard established by the ECHR case-law which requires that the law be both adequately accessible and foreseeable, that is, formulated with sufficient precision to enable the individual to foresee the consequences which a given action may entail, and indicate with sufficient clarity the scope of any discretion conferred on the competent authorities and the manner of its exercise [see Hasan and Chaush v. Bulgaria [GC], no. 30985/96, § 84, ECHR 2000‑XI; and Ahmet Yıldırım, cited above, §§ 57 and 59].

In the list of prohibited information envisaged in the Law on Information, Informatisation, and Protection of Information, the definition of what entails prohibited content is described with vague expressions that are open to excessive interpretations. With these terms, the state authorities “enjoy” a broad discretion power to categorize any information as prohibited (Law № 460-IQ).

For instance, article 13-2.3.2 of the Law (№ 460-IQ) classifies the information on the promotion of violence and religious extremism and calls for the separation of territorial integrity as prohibited content. The religious extremism and calls for the separation of territorial integrity are vague terms and lack sufficient clarity.

The Law on Combat with Religious Extremism (LCRE) adopted in December 2015, in article 1.0.1.1 defines religious extremism with vague and problematic expressions. The Law refers to acts as “humiliating national dignity,” “compromising religion,” and “preparing, storing and disseminating religious extremist material” as amounting to religious extremism. Expressions such as “national dignity” or “humiliation of national dignity” are non-legal concepts that are not defined in the domestic laws and therefore subject to broad interpretation by the authorities applying them, opening the way to misinterpretation of the concept and its application in an arbitrary manner [Furthermore, article 1.0.1.6 of the LCRE refers to “forcing someone to practice any religion (religious belief), including performing religious ceremonies and rituals as well as to religious education” as another act of religious extremism, which is equally problematic and may collide with the idea of spreading ideas of religious beliefs and inviting others to join, as a part of exercising freedom of religion, subject to the interpretation of the two concepts by the authorities, in absence of any criteria or clear terms in place. As the ECtHR has ruled, freedom of religion and the freedom to change religion in particular cover activities aimed at persuading others to change religion.]

Procedural safeguards:

Another problematic provision is article 13-2.3.9 of the law, which classifies insult and slander as the prohibited content online. Generally, the legislation of Azerbaijan provides for both civil action and criminal prosecution of defamation. As to the criminal prosecution of defamation, as of March 2017, there are four articles in the Criminal Code that provide criminal liability for defamation. With the amendments to the Law on Information, Informatization, and Protection of Information and Code of Administrative Offences on 17 March 2020, defamation is now sanctioned under the code of administrative offenses.

In practice, police often apply this provision against people who allegedly insult police or other state officials.

On June 27, 2020, police arrested and fined several individuals who criticized the singers who devoted a song to the police claiming, they allegedly insulted the singers on social networks, insulted their honor and dignity. Meydan TV’s investigation revealed that most of those punished were representatives of opposition parties such as the Popular Front, Musavat and public activists. They were punished under Article 388-1 (posting of information prohibited from dissemination on the Internet).

However, the application of this provision contradicts with the domestic legislation. In Azerbaijan, it is not up to the police to classify the information on the grounds of slander or insult and instead is defined exclusively by the respective domestic courts upon the complaints of the individuals.

According to well-established court practice, courts always decide to conduct an expert examination to assess whether information/opinion is insulting or slanderous, and then the judge relies on the result of the expert examination. Furthermore, the law does not exclude the possibility that the same statement may be subject to both civil and criminal proceedings for defamation.

Furthermore, the law does not specify how the sanction might be imposed if alleged prohibited content is identified. It is not clear from the text whether the website user will bear the responsibility alone or together with the owner of the internet or host provider. It is seemingly left to the executive authority to decide. For instance, in the case of a media article that allegedly contains prohibited content, the government may block the website forever in parallel, imposing sanctions on the content owner (user of the information resource).

Proportionate and necessary:

As discussed above, if the restriction does not meet proportionality and necessity requirements, the content removal or blocking measures may lead to violation of freedom of expression guaranteed under article 10 of the European Convention on Human Rights. Law on Information, Informatisation, and Protection of Information fail to specify a definition of the categories of blocking orders, such as blocking of entire websites, Internet Protocol (IP) addresses, ports, network protocols or types of use, like social networking, including a limit on the duration of the blocking order which is crucial parameters of the interference to assess whether applied methods are proportionate and necessary in a democratic society to limit the freedom of expression.

Conclusion

This ambiguous law gives extensive flexibility for the state to consider different, particularly critical views as false and government views as correct. The new amendments stipulate that the information shared on the Internet, which disrupts activities of the state institutions, is prohibited and punishable under the Code of Administrative Offences. While false information is also prohibited and punishable if such information threatens other socially dangerous consequences, which the law does not define.

Such vague definitions and ambiguous expressions provide extensive discretion powers for the state authorities, allowing them to label critical views as false and prohibited. Given the abovementioned concerns, the Law on Information, Informatisation, and Protection of Information does not comply with international standards on freedom of expression. Its scope remains incredibly broad in terms of vague definitions, lack of safeguards, and procedural guarantees.