Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike. 

Restrictive new bills sweep freedoms under the carpet [part 1]

This is part one in a series of detailed reports and analysis on existing legal amendments and new legislation affecting freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In March of last year, AIW shared an update about amendments to an existing bill on Information provisions, Informatization, and Protection of Information and Code of Administrative Offences of the Republic of Azerbaijan. Now, let’s take a closer look at these amendments and what they entail. 

Amendments to the Information Law

Amendments to an existing bill on Information provisions, Informatization, and Protection of Information extended the subjects – to users – of responsibilities for placement of prohibited information, including the “false information” on information-telecommunication networks.

This means that amendments establish the liability over the information-telecommunication network users to place prohibited content on the information-telecommunication networks; 

The amendments also added an item to the list of prohibited content, forbidding the  placement of false information: thus, prohibited information was considered “false information [yalan məlumatlar] in case it posed a threat to harm human life and health, cause significant property damage, mass violation of public safety, disrupt life support facilities, financial, transport, communications, industrial, energy and social infrastructure facilities or other socially dangerous consequences.”

In other words, if users placed content on the internet that might be considered false information capable to disrupt the functioning of state bodies or their activities it can be considered on the grounds of violating the existing law.

Amendments to the Code of Administrative Offences

During the same plenary meeting on March 17, 2020, an amendment to article 388-1 of the Code of Administrative Offenses (CAO) of Law No. 27-VIQD was also approved.

Article 388-1 of the CAO was aggravated with the penalty of up to one-month administrative detention with other sanctions against real or legal person owners of internet information resources and associated domain names as well as on users of information-telecommunication networks for the placement, or the violation of provisions of the Information Law aiming at preventing the placement, of prohibited information on such internet information resources.

With the amendments introduced to laws, users of the information-telecommunication network, owners of internet information resources, and domain names might be punished under Article 388-1 of the CAO. The penalty for the offense is a fine between 500 and 1000 manats (about US$294–$588) for real persons and 1000 to 1500 manats for officials, with an option of up to one month of administrative detention for both classes of persons depending on the circumstances and the identity of the offender.

Implementation of the Amendments (abuse of application)

Shortly after the amendments, police applied these provisions frequently against individuals, including political activists and journalists despite the call from the United Nations, Council of Europe, and OSCE expert bodies urging the authorities to address the disinformation in the first instance by relevant government institutions, providing reliable information and resorting to other restrictive measures, only where they met the standards of necessity and proportionality. This did not prevent authorities from targeting a number of activists and journalists in the following days.

On April 16, 2020, Human Rights Watch documented how Azerbaijani authorities abused quarantine restrictions allegedly to fight with disinformation while arresting opposition activists and silencing the government critics. HRW documented at least six activists and opposition journalists’ sentenced to detentions ranging from 10 to 30 days.

March 21, 2020, Ilgar Atayev was called in for questioning and charged with article 388.1 of the code of administrative offenses – sharing prohibited information on the Internet or Internet – telecommunication networks. According to Meydan TV, an independent online news platform, although Atayev informed that the charges against him were sent to court, he was not aware of the exact accusation. Authorities claimed at the time, Atayev, shared information on COVID without quoting official sources and that the shared information was false.

March 23, 2020, according to the Ministry of Internal Affairs’ press service, three people were administratively arrested for allegedly spreading misinformation about the coronavirus infection.

March 27, 2020, according to the Ministry of Internal Affairs’ press service, between March 26 and 27, 15 people were identified and summoned to the local police on the grounds of allegedly spreading misinformation about the coronavirus infection on social networks and WhatsApp instant messaging application. After the relevant investigations, police warned seven people, fined five, and sentenced three to administrative detention.

April 4, 2020, according to the Ministry of Internal Affairs’ press service, during the control measures carried out between April 1-2, one person was administratively arrested, and five people were fined for allegedly spreading false information about the coronavirus infection on social networks, including WhatsApp instant messaging application.

April 6, 2020, according to the Ministry of Internal Affairs’ press service, one person received a warning for allegedly spreading false information about the coronavirus infection on social networks, including WhatsApp instant messaging application.

Amid on-going arrests, detentions, and fines, on April 3, 2020, the Council of Europe Commissioner for Human Rights issued a statement noting that press freedom must not be undermined by measures to counter disinformation about COVID-19.

Analysis of the law

Content regulation rules and policies which presumably touch on the freedom of speech must meet the strict criteria under international and regional human rights law. According to the European Court of Human Rights jurisprudence, a strict three-part test is required for any content-based restriction.

The Court notes that the first and most crucial requirement of Article 10 of the Convention is that any interference by a public authority with the exercise of the freedom of expression should be lawful.

The second paragraph of Article 10 stipulates that any restriction on expression must be “prescribed by law”. Furthermore, any restrictions need to be necessary for a democratic society [See Sunday Times v. UK (No. 2), Series A no. 217, 26.11.1991, para. 50; Okçuoğlu v. Turkey, No. 24246/94, 8.7.1999, para. 43.] and the state interference should correspond to a “pressing social need”.[See Sürek v. Turkey (No. 1) (Application No. 26682/95), the judgment of 8 July 1999, Reports 1999; Sürek (No. 3) judgment of 8 July 1999.] The state response and the limitations provided by law should be “proportionate to the legitimate aim pursued” [See Bladet Tromsø and Stensaas v. Norway [GC], no. 21980/93, ECHR 1999-III.] Therefore, the necessity of the content-based restrictions must be convincingly established by the state [The Observer and The Guardian v. the United Kingdom, the judgment of 26 November 1991, Series A no. 216, pp. 29-30, § 59.]

The Law on Information, Informatisation, and Protection of Information (Law № 460-IQ)

In 2017, the Law (1998) was updated with a series of restrictive amendments, converting the Law from a technical regulation into a content regulation.

Primary concerns of the Law concerning content regulation:

Owner of the Internet information resource, including owners of the domain name, host, and internet providers bear a strict administrative liability to remove the content manifestly prohibited under article 13-2.3 within 8 hours of notice;

In urgent cases, [when the legally protected interests of the state and society are threatened or there is a real threat to human life and health requires to do] the internet information resource may be temporarily restricted on the basis of a decision of the regulatory body – Ministry of Transport, Communications and High Technologies [restriction is applied without a court order. Although an application is made to the court, the decision to close down the online information source remains in force until the court handles the case or the decision is annulled.]

In refusing to remove the content upon the government’s notice within the 9 hours, owners of internet information resources, owners of domain names, host, and internet providers will face a court sue with possible administrative sanctions.

Safeguards against removal and blocking procedures:

Article 13-3.1 of the law provides that the relevant executive authority (regulatory body) shall issue a warning to the owner of the Internet information resource and its domain name and the hosting provider in writing if it directly discovers cases of placement of prohibited information in the Internet information resource or identifies it based on substantiated information received from individuals, legal entities or government agencies;

Existing legislation and practice concerning content removal and blocking do not provide adequate safeguards against arbitrariness;

for instance, there is no requirement to inform the information resource owners, Internet and host providers or owners of other sites and their users before issuing the content removal warning, and failure to implement the warning leads to a penalty because the Code of Administrative Offenses provides for liability for both the posting of prohibited information and the failure to remove prohibited information posted on the Internet.

The Law on Information, Informatisation, and Protection of Information provide that warning about content removal is considered a mandatory requirement and that failure to obey is sanctioned under Article 388-1.1 of the CAO and possible court sue for block order.

Content removal and blocking procedures also lack transparency and fairness:

The law does not oblige the regulatory body to provide the information resource owners, internet and host providers, or other sites’ substantiated opinion reasoning for the content prohibited. In other words, the regulatory body and other state authorities can request to remove the content or block access to websites without any obligation to substantiate their demands.

Vague Terms and Quality Law Standards:

Sufficient clarity is the requirement of the quality law standard established by the ECHR case-law which requires that the law be both adequately accessible and foreseeable, that is, formulated with sufficient precision to enable the individual to foresee the consequences which a given action may entail, and indicate with sufficient clarity the scope of any discretion conferred on the competent authorities and the manner of its exercise [see Hasan and Chaush v. Bulgaria [GC], no. 30985/96, § 84, ECHR 2000‑XI; and Ahmet Yıldırım, cited above, §§ 57 and 59].

In the list of prohibited information envisaged in the Law on Information, Informatisation, and Protection of Information, the definition of what entails prohibited content is described with vague expressions that are open to excessive interpretations. With these terms, the state authorities “enjoy” a broad discretion power to categorize any information as prohibited (Law № 460-IQ). 

For instance, article 13-2.3.2 of the Law (№ 460-IQ) classifies the information on the promotion of violence and religious extremism and calls for the separation of territorial integrity as prohibited content. The religious extremism and calls for the separation of territorial integrity are vague terms and lack sufficient clarity.

The Law on Combat with Religious Extremism (LCRE) adopted in December 2015, in article 1.0.1.1 defines religious extremism with vague and problematic expressions. The Law refers to acts as “humiliating national dignity,” “compromising religion,”  and “preparing, storing and disseminating religious extremist material” as amounting to religious extremism. Expressions such as “national dignity” or “humiliation of national dignity” are non-legal concepts that are not defined in the domestic laws and therefore subject to broad interpretation by the authorities applying them, opening the way to misinterpretation of the concept and its application in an arbitrary manner [Furthermore, article 1.0.1.6 of the LCRE refers to “forcing someone to practice any religion (religious belief), including performing religious ceremonies and rituals as well as to religious education” as another act of religious extremism, which is equally problematic and may collide with the idea of spreading ideas of religious beliefs and inviting others to join, as a part of exercising freedom of religion, subject to the interpretation of the two concepts by the authorities, in absence of any criteria or clear terms in place. As the ECtHR has ruled, freedom of religion and the freedom to change religion in particular cover activities aimed at persuading others to change religion.]

Procedural safeguards:

Another problematic provision is article 13-2.3.9 of the law, which classifies insult and slander as the prohibited content online. Generally, the legislation of Azerbaijan provides for both civil action and criminal prosecution of defamation. As to the criminal prosecution of defamation, as of March 2017, there are four articles in the Criminal Code that provide criminal liability for defamation. With the amendments to the Law on Information, Informatization, and Protection of Information and Code of Administrative Offences on 17 March 2020, defamation is now sanctioned under the code of administrative offenses.

In practice, police often apply this provision against people who allegedly insult police or other state officials. 

On June 27, 2020, police arrested and fined several individuals who criticized the singers who devoted a song to the police claiming, they allegedly insulted the singers on social networks, insulted their honor and dignity. Meydan TV’s investigation revealed that most of those punished were representatives of opposition parties such as the Popular Front, Musavat and public activists. They were punished under Article 388-1 (posting of information prohibited from dissemination on the Internet).

However, the application of this provision contradicts with the domestic legislation. In Azerbaijan, it is not up to the police to classify the information on the grounds of slander or insult and instead is defined exclusively by the respective domestic courts upon the complaints of the individuals.

According to well-established court practice, courts always decide to conduct an expert examination to assess whether information/opinion is insulting or slanderous, and then the judge relies on the result of the expert examination. Furthermore, the law does not exclude the possibility that the same statement may be subject to both civil and criminal proceedings for defamation. 

Furthermore, the law does not specify how the sanction might be imposed if alleged prohibited content is identified. It is not clear from the text whether the website user will bear the responsibility alone or together with the owner of the internet or host provider. It is seemingly left to the executive authority to decide. For instance, in the case of a media article that allegedly contains prohibited content, the government may block the website forever in parallel, imposing sanctions on the content owner (user of the information resource).

Proportionate and necessary:

As discussed above, if the restriction does not meet proportionality and necessity requirements, the content removal or blocking measures may lead to violation of freedom of expression guaranteed under article 10 of the European Convention on Human Rights. Law on Information, Informatisation, and Protection of Information fail to specify a definition of the categories of blocking orders, such as blocking of entire websites, Internet Protocol (IP) addresses, ports, network protocols or types of use, like social networking, including a limit on the duration of the blocking order which is crucial parameters of the interference to assess whether applied methods are proportionate and necessary in a democratic society to limit the freedom of expression.

Conclusion

This ambiguous law gives extensive flexibility for the state to consider different, particularly critical views as false and government views as correct. The new amendments stipulate that the information shared on the Internet, which disrupts activities of the state institutions, is prohibited and punishable under the Code of Administrative Offences. While false information is also prohibited and punishable if such information threatens other socially dangerous consequences, which the law does not define. 

Such vague definitions and ambiguous expressions provide extensive discretion powers for the state authorities, allowing them to label critical views as false and prohibited. Given the abovementioned concerns, the Law on Information, Informatisation, and Protection of Information does not comply with international standards on freedom of expression. Its scope remains incredibly broad in terms of vague definitions, lack of safeguards, and procedural guarantees.

editor’s sentence reduced

February 25, the sentence of Anar Mammadov, editor of an online news site criminal.az was reduced from 5 years and 6 months to 5 years and 3 months. The decision was made by the Supreme Court.

Speaking in court, the editor, said allegations against him are bogus. “If you think I have committed a crime, then issue an arrest warrant. If you think writing about what is happening is a crime, then I commit this crime every day”, said Mammadov in court during the hearing.

Speaking to Azadliq Radio, Azerbaijan Service for Radio Free Europe, Mammadov said, he will be appealing to the European Court of Human Rights.