In Azerbaijan, hasty legislative measures in response to cyber threats, leave protection of personal data on the back burner  

In an increasingly digitalized world, collection, retention, and processing of private data have an essential role for both private and public bodies for the purpose of their services to citizens or clients/users. However, in the absence of strong data protection regulations and cybersecurity, privacy infringements are inevitable. The analysis shared below indicates that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

To effectively illustrate how in practice, no control and legal remedies are implemented in relation to the collection and processing of personal data in the context of Azerbaijan, we specifically looked at the telecom industry and a wave of hacks into state-run databases containing vital citizens’ personal data.

Our findings underline the need to strengthen national laws and the practice of protecting individuals’ personal data in light of the growing number of infringement incidents of individuals’ personal data collected by state authorities and corporate entities as a result of existing legal loopholes and a wave of in recent years connected with personal data protection in Azerbaijan.

International standards

The protection of personal data which falls within the scope of the right to privacy is recognized internationally as a human right and countries are required to respect it. This right is enshrined in different international human rights treaties ratified by the Republic of Azerbaijan. These include the Universal Declaration on Human Rights (Article 12), International Covenant on Civil and Political Rights (Article 17), Convention on the Rights of the Child (Article 16), and International Convention on the Protection of All Migrant Workers and Members of Their Families (Article 14).

At the regional level, the right to privacy is protected by the European Convention on Human Rights. Article 8 (Right to respect for private and family life, home and correspondence) of the convention holds that telephone data, emails, and Internet use (Copland v. the United Kingdom, 2007 §§ 41-42), and data stored on computer servers (Wieser and Bicos Beteiligungen GmbH v. Austria, § 45), fall within the scope of protection of Article 8. The European Court of Human Rights also acknowledges that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

The mere storage of personal data can violate a user’s right to privacy. The violation depends on the context in which the data is collected, the way it is collected, processed and used, and the outcome of the user data collection (S. and Marper v. the United Kingdom, 2008).

This right is further promoted and reinforced by the Council of Europe Convention 108 and a number of recommendations in relation to the protection of personal data adopted by the Committee of Ministers of the Council of Europe.

Azerbaijan has ratified various international and regional human rights treaties providing protection to the right to privacy and personal data, and as such, committed to ensuring relevant international human rights standards in relation to personal data protection. In 2009, the country joined Convention 108 also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. However, Azerbaijan is not a party to the Additional Protocol to Convention 108 which requires each party to establish an independent authority to ensure compliance with data protection principles and lays down rules on trans-border data flows.

A legally binding international data protection treaty establishes a number of principles for the signatory states to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, in which collected data is stored for no longer than a set time, and for a specific purpose, and that individuals have a right to have access to, amend or erase their data. 

Practice in Azerbaijan

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

The main law covering personal data in Azerbaijan is the Law on Personal Data adopted on May 11, 2010 [No 998-IIIQ available in Azerbaijani here]. Article 6, of the Law on Personal Data sets out the forms of state regulation,[2] which are regulated through different normative legal acts. 

In this context, personal data refers to determining – directly or indirectly – the information about the identity of the person [The Law on Personal Data, article 2.1.1]. This information includes name, last name, patronymic, date of birth, and other information contained in the documents of identity, as well as data revealing racial or ethnic origin, marital status, religious faith and beliefs, and health or criminal record of an individual.

The Law on Personal Data does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”). The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life, and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

As per, the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted on September 6, 2010, seven state institutions are granted the authority to supervise the fulfillment of the requirements for the protection of personal data. These are the Ministry of Digital Development and Transportation; the State Security Service; the Foreign Intelligence Service; the Ministry of Internal Affairs, the Ministry of Justice; the Special State Protection Service; the Special Communication and Information Security State Service; and the Financial Markets Control Chamber.

Under the Law on Personal Data, collection, processing, and cross-border transmission of personal data of any physical person are permitted only with the written consent of that person. Similarly, Article 6 of the Convention for the Protection of Individuals with Regard to the Processing of Personal Data states that only where appropriate safeguards are enshrined in law, complementing those of this Convention that special categories for revealing personal data shall be allowed. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights, and fundamental freedoms of the data subject, notably the risk of discrimination.

In the context of Azerbaijan, the country’s Law on Personal Data (Article 13.2.1) provides an exception where personal data can be made accessible to third parties without the consent of the subject. This exception is based on Article 5.4 of the Law on Personal

A recent wave of cyber threats and Azerbaijan’s response 

Azerbaijani citizens have long suffered significant harm from hacks into the database of key public institutions or from monopolistic companies transferring personal user data without users’ consent. This has been the case at least since 2011.

2022 was no exception. Multiple data leak incidents involving the personal data of millions of citizens obtained from allegedly government agency databases were reported in the course of this year. Officials say cyber-attacks have increased in the aftermath of the second Karabakh war [September 2020] and peaked once again during the September border clashes this year. Weak protection mechanisms have placed Azerbaijan 40th among 194 countries in the Global Cybersecurity Index in 2021.

The most recent cyber-attack took place on August 8, 2022. Large-scale cyber-attacks against a number of state institutions and banks in Azerbaijan were reported by the State Service for Special Communication and Information Security. No further details of the hack and how much data was stolen remained unclear.

On April 20, 2022, the website of the Compulsory Insurance Bureau of Azerbaijan was compromised. The perpetrator(s) of the hack claimed that the entire system of the Compulsory Insurance Bureau was destroyed, and more than 40 million pieces of information were seized. The online platform of the State Motor Transport Service (e-fn.danx.gov.az) was also among hacked institutions.

According to the June 2020 “Cybersecurity guidelines for the Eastern Partnership countries,” released by the European Union’s EU4Digital Initiative, the main obstacles and gaps in the area of cybersecurity in Azerbaijan were the country’s outdated national legislation and insufficient commitment of national authorities to cybersecurity matters.[3]

The country’s own Cybersecurity Governance Assessment Report published in November 2020, indicated that there was a lack of cybersecurity benchmarks for digital web providers, due to the absence of a competent authority in the field of cyber/information security to supervise public and private digital service providers with regard to the implementation of cyber/information security requirements.

In light of recent cyber threats, the government of Azerbaijan has come up with several legislative and policy measures – a document on the security of critical information infrastructure and information and cyber security strategy. On September 21, 2022, the head of the department of the State Service for Special Communication and Information Security of Azerbaijan, Tural Mammadov, stressed that the cyber strategy submitted to the Cabinet of Ministers will be approved soon. The “National Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2020 – 2025” has been in the works since March 2020.

New legislative amendments

On April 17, 2021, President Ilham Aliyev, signed an order “On some measures in the field of ensuring the security of critical information infrastructure.” The order authorized the State Security Services of Azerbaijan to ensure the security of critical information infrastructure including the fight against cyber threats.[4]

In May 2022, the parliament approved amendments to the Law of the Republic of Azerbaijan “On information, informatization, and protection of information.” The amendments included 9 new concepts and a new chapter, named “Security of critical information infrastructure,” which consisted of 6 articles. Amendments that entered into legal force on July 6, 2022, brought new concepts such as critical information infrastructure, cyber security service provider, information security, cyber threat, cyber-attack, and cyber incident to the national legislation. In connection with the adoption of amendments to the Law “On information, informatization, and protection of information” two new articles were added to the Code of Administrative Offenses providing administrative liability for the violation of the order ensuring the security of critical information infrastructure.

Article 371-1 envisages liability for violation of the rule of ensuring the security of critical information infrastructure. Article 602-3 envisages liability for failure to fulfill the requirements of the authorized body (official) in the field of ensuring the security of critical information infrastructure.

On July 16, 2022, the decree of the Cabinet of Ministers was tasked to prepare draft rules for ensuring security and proposals on the criteria of critical information infrastructure and facilities within 2 months.

Personal data vs. surveillance and commercial use of personal data   

How do national laws protect personal data in the telecom industry?

Collection, processing, and protection of personal data, including individual information created by means of technology [sms, phone calls and etc.] are mainly regulated by several laws [on Telecommunications, On information, informatization, and protection of information, and on Personal Data] and normative legal acts of the Cabinet of Ministers and other central executive powers.

In Azerbaijan, customers entering into a contract with mobile operators [to complete SIM card registration] are obligated to provide an extensive amount of personal data. This is regulated by Article 40 of the law On Telecommunications and the decision of the Cabinet of Ministers dated July 7, 2005, “On the approval of the conditions required for the sale and use of communication facilities by communication enterprises (operators), as well as their dealers.”[5] The collected user data is then stored in the single database of operators and on AzInTelecom (State company of the Ministry of Digital Development and Transportation) in an electronic format.[6] According to a decision of the Cabinet of Ministers, the Information Computing Center of the Ministry of Digital Development and Transport where the personal data are gathered and processed is established together with the Ministry of Internal Affairs and State Security Service.[7]  

Pursuant to purposes, and operation-search activities and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.[8]

The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators.[9] That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.[10]

The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances including in an event the state security and/or its

Pursuant to article 445 of the Criminal Procedure Code, search operations such as interception of telephone conversations; monitoring of mail, telegraph, and other correspondence; and extraction of information from technical communication channels and other technical devices are carried out only on the basis of a court decision.[11] However, according to Article 10, paragraph 4 of the Law on “Operation and Search Activities”, and Article 177.4 of the Criminal Procedure Code, these search operations may also be carried out without a court decision, based on a reasoned decision of an authorized officer of the body carrying out the search operation.[12] This decision must be presented to the court conducting judicial oversight and to the prosecutor conducting the procedural management of the preliminary investigation within 48 hours after the relevant measures are taken. In practice, most of the investigations carried out based on a reasoned decision of an authorized person have [13]

The selling/giving of personal data to third parties for commercial purposes

Azerbaijani media and social networks regularly discuss the reports and complaints connected with the processing (transfer/sale) of SIM card users’ personal data without their consent for commercial purposes.

In accordance with article 23.1 of the Law of the Azerbaijan Republic “On Advertising” dated May 15, 2015, No. 1281-IVQ, the telecom operator and provider may broadcast advertisements based on the contract concluded with the advertiser. The telecom operator and provider can send the advertisement to the subscriber individually only if the sending of the advertisement is agreed upon in the written contract concluded between the company and the subscriber. The existing law obligates the telecom operator and the provider to give the subscriber the option to opt-out from receiving advertisements at any time or to broadcast only the advertisements the subscribers wish to receive ads from telecom operators.[14] Similar provisions are envisaged in Article 50-1 of the Law “On Telecommunications.”[15]

According to Article 9.10 of the Law on Personal Data, personal data collected and processed in corporate information systems may be presented to third parties for a fee. This procedure is regulated by the Decision of the Cabinet of Ministers, “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” which was adopted on March 2, 2011.[16] According to this regulation, the sale/transfer of data to a third party only applies to the open category of personal data.[17] The open category of personal data refers to the (i) information which has been anonymized in a specified manner, (ii) made public by the subject, or (iii) entered into the information system created for general use, with the subject’s consent. The Regulation (article 2.1) further requires a contractual agreement between the owners of personal data and the third party intending to obtain the personal data and additional permission of the state body that maintains the state register of information systems (Ministry of Digital Development and Transport).[18] The Regulation (article 2.3) also determines mandatory contractual clauses for the agreement on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis. It establishes specific duties[19] for the third parties who intend to obtain personal data.

However, agreements between operators and providers, and third parties on the sale of personal data are not provided to owners of personal data (individuals whose personal data was transferred) or published. Therefore, individuals are deprived to know the scope of the data sold and further specifics of the use of their personal data.

However, the Law on Personal Data (article 7.1.2.) provides that owners of data have the right to request the legal justification for the collection, processing, and transfer of personal data about themself and to receive information about the legal consequences (for themselves) of the collection, processing, and transfer of this data to third parties.

How is the consent given?

There are over ten million mobile phone subscribers in Azerbaijan.[20] Azercell LLC, Bakcell LLC, and Azerfon LLC (A brand of Nar) are the three major mobile phone operators. Subscription contracts of all three major mobile operators reveal that all contracts include many similar conditions because of the Law on Telecommunication which sets the mandatory clauses for such contracts between operators and subscribers.[21] As such, there is little difference in the way the operators use personal data. The subscription agreements individuals enter with mobile operators (at least in the subscription agreements distributed on the websites of Bakcell LLC and Azercell LLC) include provisions indicating “giving consent to receive advertising SMS”. Individuals often overlook these conditions or pay no attention.

A review of the consent clauses in the subscription agreements demonstrates that such provisions are not clearly reflected and do not explicitly state concrete implications for subscribers when choosing “to receive advertisement SMS” and what this means from the protection of personal data perspective.

However, the Law on Personal Data (article 8.2) sets out that the individuals’ written consent for the processing of personal data must include the purpose for collecting and processing personal data, the lists of personal data consented to be processed by the subject, and their processing operations, the validity period of the subject’s consent and the conditions for its withdrawal, conditions for destruction or archiving of personal data collected about the subject in accordance with the legislation after the expiration of the specified period of storage of personal data in the relevant information system or after the subject’s death.

As the contracts between the advertising companies and mobile operators are not public, it is not clear how the mobile operators allow third parties “to send advertising SMS” to subscribers. Being aware that the operators use the personal information of subscribers to sell targeted ads, subscribers do not know whether such contracts also ensure the transfer of the phone numbers to third parties. Or what concrete personal data is used by mobile operators to identify eligible subscribers to send advertising SMS?

None of the three main telecom operators have published Privacy Policies in relation to the protection of personal data in regard to using Sim Cards. Azercell LLC[22] and Azerfon LLC[23] do have privacy policies in relation to their policies on data protection.

In the example of the subscription agreement of Bakcell LLC[24], the contract includes one article that refers to advertisement:  “4.3. On the basis of this Agreement, the Subscriber agrees to the automatic sending of information, entertainment, and advertising SMS to their number, and if the Subscriber refuses to receive any type of SMS, the sending of such SMS to the corresponding number is stopped.”

In the sample contract of Azercell LLC [25], the provision of “whether the subscriber consents to receive advertising SMS” requires an affirmative answer. This is good, especially in comparison to the sample contract of Azerfon LLC (Nar)[26], where there is no clause regarding obtaining consent for such advertisement services. Instead, provision 6.4. of the contract states, “By signing this contract, the subscriber agrees to receive advertising or entertainment SMS or any other information to the number(s) he/she is using”. In addition to that, the Azerfon LLC (“Nar”) Privacy Policy states that “the subscriber accepts that Azerfon is not responsible for the disclosure of his/her information to third parties through the “Nar+” service application”.

In practice, individuals buying the sim cards are offered standard contracts and are not offered an opportunity to effectively refuse to give consent to receiving such services. It seems that the subscriber is offered the opportunity to unsubscribe from ads only after activating the sim card. It is then the subscriber’s responsibility to contact the operator and ask for a specific code that would stop this service.

None of the three mobile operators’ contracts contain a provision on the operators’ responsibility in relation to the protection of subscribers’ personal data even though operators receive an extensive amount of personal information during the sale of sim cards. The operators also oblige subscribers to update the operators in case of any changes to their personal data.[27] Such clauses in the contracts in the case of all three mobile operators are clearly undisputable as mobile operators design their contracts unilaterally, and the subscriber has no effective option to remove those conditions from the contract except in the subscription contract of Azercell LLC.

Different Council of Europe instruments refers to consent about the processing of users’ personal data. Bearing in mind that provisions of the Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data apply to the automated data processing activities of network operators and parties providing telecommunication services, the telecom companies must respect the requirements of the Convention, which Azerbaijan is a party to.  Thus, Article 5 (2)– “Legitimacy of data processing and quality of data” of the Convention stipulates that “each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.”

Recommendation (95)4 of the Committee of Ministers of the Council of Europe to Members States[28] recommends that the collection and processing of personal data in the area of telecommunications services should take place and develop within the framework of data protection policy, taking into account the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and in particular the principle of purpose specification (3.1). The mentioned Recommendation also envisages that “Domestic law should provide the appropriate guarantees and determine the conditions under which subscriber data may be used by network operators, service providers, and third parties for the purposes of direct marketing by telephone or by other telecommunications means (7.8).

The “Principles underpinning privacy and the protection of personal data” (2022) adopted by the UN Special Rapporteur on the Right to Privacy analyses international law in relation to consent and stresses the consent of the subject (owner of the personal data) as one of the legitimate grounds for the processing of personal data.[29] The UN Special Rapporteur concludes that the principle of consent is closely linked to the principle of legality, as it is the most common internationally recognized permissible ground for the processing of personal data (paragraph 31).

KEY FINDINGS

Do mobile operators give subscribers’ phone numbers and other personal information to other companies?

In the absence of publicly available information about contracts between mobile operators and third parties concerning the sale or transfer of private data; the lack of privacy policies of telecom companies, including the lack of any comprehensive data on protective legislation and oversight, it is difficult to say that SIM users’ personal data is not shared with other private and public databases, is not used for enabling the companies and states to create specific profiles of individual citizens, and is enabling other third parties to access a vast amount of data for commercial purposes.

In March 2017, Azerbaijan’s Supreme Court judgment “Viza” Law Firm v. “Azercell Telecom” LLC and “Sindbad” LLC established that one of the main mobile telecom companies – Azercell LLC transferred one of its subscribers (client) to another company which used the provided number, to send advertisement SMS despite there being no legal ground (contract) between the company sending advertisement and the user receiving the notifications via SMS. The Supreme Court judgment allows concluding, that mobile operators may share users’ personal data with third parties for direct marketing without explicitly mentioning this in the subscription contracts.

In July 2019, Azerbaijan’s Commissioner for Human Rights expressed concern over serious problems in data protection in the telecom industry where mobile operators were distributing users’ personal data without their knowledge and consent.[30]

Do the law-enforcement authorities have access to personal data gathered in the telecommunication systems beyond the rule-based surveillance regime

The existing system around SIM card registration allows law-enforcement agency access and permission to govern an extensive database of vast private data of SIM card users. This puts individuals at risk of being tracked or targeted and having their private information misused. Such access undermines the ability of users to communicate anonymously and one’s right to privacy.[31]

This also poses a threat to vulnerable groups and facilitates an environment of state surveillance making tracking and monitoring of users, easier for law enforcement authorities.

One prominent example illustrating this trend was documented in January 2019 when after an opposition protest rally, scores of rally participants received calls on their mobile phones from the local executive authorities and the police. All were interrogated about their participation in the rally. As such, mobile operators have long been accused by activists of providing their mobile numbers to the authorities.[32] Responding to these claims, the mobile operators said the data shared with law enforcement was provided based on legislation and official request.[33] Meanwhile, the Ministry of Interior confirmed that the rally participants were indeed called in for questioning on the grounds that this was a “police activity, and the police were carrying out both public and operation-search and other investigative activities.”[34]

Some experts suggest that having mandatory SIM card registrations further fuels their illicit use. It creates a need for a black market, as people want to communicate anonymously and it encourages identity fraud as people try to evade the system altogether.[35]

Conclusion

National legislation of Azerbaijan regulating the telecommunication sector must be reviewed in line with the established principles and standards of the European Convention on Human Rights, including the Convention for the Protection of Individuals with Regard to the Processing of Personal Data.

The national laws must be designed in a way where personal data is processed lawfully (with free, informed, unambiguous consent of the data subject or on the basis of law) for clearly defined legitimate purposes. In a context where national security and public safety interests are so often used to justify unprecedented intrusions on human rights and freedoms, it is crucial to ensure that new legislative and policy response to cyber threats does not harm individuals’ personal data.

In particular, all national legal frameworks in the areas of surveillance, interception, protection of personal data, and other relevant areas, must be accessible to an individual in question, who must be able to foresee the consequences of its application to him/her.

Government must adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and wide discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and effective review of interception orders; (iii) the precautions to be taken when communicating the data to other parties. Nationally, an independent regulatory authority should be established to ensure supervision and review complaints related to personal data breaches.

The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

National laws also must be amended in order to ensure that telecommunication services offer guarantees for users’ privacy, the secrecy of their correspondence, and the freedom of communication. Furthermore, existing rules equipping and enabling the use of special tools within the telecommunication networks must be re-designed in order to provide privacy for users and mitigate risks of abuse of personal data by the authorities.

National legal frameworks should encourage the private sector (in particular in the areas of mass personal data collection and processing) to develop data protection policies.

on increasing cyber security within the critical information infrastructure should recognize that the private sector is responsible for cyber security however it should not enhance government control over the personal data collected and processed by the private sector. The government’s appetite to control telecom infrastructure and information in cyberspace is unlikely to bring positive changes with respect to personal data protection in Azerbaijan.

In this context, the cyber security measures must put personal data at the heart of the planned legislative and policy measures, in particular removing the risk of abuse of personal data by telecommunications service providers and state authorities.

Footnotes

[1] Rec(2002)9 18/09/2002 on the protection of personal data collected and processed for insurance purposes;  Rec(95)4 07/02/1995 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services;

Rec(91)10 09/09/1991 on the communication to third parties of personal data held by public bodies;  Rec(85)20 25/10/1985 on the protection of personal data used for the purposes of direct marketing.

[2] i) establishing the legal basis for the collection and processing of personal data; (ii) ensuring basic human and civil rights and freedoms during the collection and processing; (iii) licensing of activities on collection and processing of personal data; (iv) conducting state registration of information systems of personal data; (v) certification of information systems of personal data and other ICT tools; and etc.

[3] According to the report findings, national law on the protection of personal data is outdated, and national legislation does not require data breach notifications. The report also identifies the main challenges as insufficient funding, lack of qualified personnel and resources in the cybersecurity area, and insufficient commitment of national authorities to cybersecurity matters. The report also indicated that security audits are carried out for verifying whether baseline cybersecurity measures are implemented only banking sector. It further notes that there is no formal definition of Critical Information Infrastructure (CII) and CII operators are not identified at the national level.

[4] The State Security Service of Azerbaijan performs those functions jointly with the State Service of Special Communication and Information Security of Azerbaijan toward the state bodies, and public legal entities created on behalf of the state, in relation to legal entities belonging to the state.

[5] The Cabinet of Ministers dated July 7, 2005, requires the collection of personal data from subscribers such as subscriber’s Sim card number, parameters of the subscriber identification module (IMSI, etc.), mobile device’s international identification number (IMEI), ID card or Passport (with photo), concrete and detailed address and place of residence of the subscriber, bank account and registration details for legal entity subscribers and etc. https://e-qanun.az/framework/10541;

[6] The implementation of the changes to the mobile number sale rules is being finalized, E-Gov.az portal, https://www.e-gov.az/az/news/read/349

[7] It is noted in the decision (preamble) of the Cabinet of Ministers that the rule (auth: a mandatory collection of personal data and establishing a unified database of sim card holders) was adopted in order to implement the provisions specified in Articles 39.1 of the Law “On Telecommunications”, Articles 9 and 12 of the Law “On Operation-Research Activities” and 17.4 of the Law “On Intelligence and Counter-Intelligence Activities” that obliging telecommunication companies to create conditions to for search and operational activities of law enforcement authorities. Thus, provisions in various legal acts referred to, as well as these regulations, allow law enforcement agencies (Ministry of Internal Affairs and State Security Service) to jointly form a database where personal data collected by communication enterprises is collected (paragraphs 3 and 4 of the Regulations).

[8] Pursuant to article 10.5 of the Law on Personal Data, article 39.1 of the Law on Telecommunications, and according to article 17.4 of the Law on Intelligence and Counterintelligence Activities, telecom operators must create conditions for conducting intelligence and counterintelligence, and operation-search activities in accordance with law and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.

[9] In accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” legal entities and individuals providing communication services are required to install special equipment that provides access to information for the search and operation purposes.  https://e-qanun.az/framework/3569#_ednref12

[10] On the approval of the “Rules on ensuring information security during the implementation of operational search measures in communication networks” approved by the Presidential order on 2 October 2015, https://e-qanun.az/framework/30840

[11] Wiretapping of telephone conversations ad extraction of information from technical communication channels and other technical means are carried out by the Ministry of Internal Affairs and the State Security Service in accordance to Presidential Decree No. 507 dated June 19, 2001 “On the distribution of authorities of entities of operative-searching activity in the implementation of investigation and search operations” available (in Azerbaijani)  http://e-qanun.az/framework/3569

[12] In this case, the authorized official of the body conducting the search operation shall, within 48 hours of carrying out the search, submit the reasoned decision on the conduct of the search operation to the court exercising judicial supervision and the prosecutor.

[13] Dissent opinion of judge Isa Najafov, in the decision of the Plenum of the Constitutional Court “On the interpretation of some provisions of Articles 137 and 445.2 of the Code of Criminal Procedure of the Republic of Azerbaijan” February 12, 2015. Available (in Azerbaijani) at: https://constcourt.gov.az/az/decision/1159

[14]  The telecommunication operator and provider shall be responsible for sending advertising without the consent of the subscriber or contrary to the provisions of this Law. Law on Advertising (Article 23), https://e-qanun.az/framework/30348

[15] The Law On Telecommunications, https://e-qanun.az/framework/10663

[16] “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” adopted on March 2, 2011, https://e-qanun.az/framework/21385

[17] The person’s name, surname, and patronymic are permanent open personal information. (The Law on Personal Data, Article 5.3).

[18] State registration of Information Systems and cancellation of state registration is carried out by the Ministry of Digital Development and Transport of the Republic of Azerbaijan as determined by the Decision (article 1.3) of the Cabinet of Ministers On approval of “Rules for state registration of information systems of personal data and cancellation of state registration” dated on August 17, 2010. https://e-qanun.az/framework/20039

[19] The contract should specify the content of the provided data, purposes of acquisition, fields of use, and methods, and the following obligations of the third party acquiring personal data should be provided: ensuring the protection of obtained personal data and the rights of personal data subjects in accordance with the Law of the Republic of Azerbaijan “On Personal Data”; not to give or transfer the obtained personal data to other persons in any way; exclusion of all threats and dangers for personal data subjects when using personal data, and not making offers that may cause them unwanted or additional costs, as well as anonymous or misleading personal data subjects. The material, technical and organizational capabilities of third parties who obtain personal data collected and processed in corporate information systems or their personal data operators must be in accordance with the purpose of data acquisition and the requirements for their protection.

[20] 2022 CEIC Data, an ISI Emerging Markets Group Company, https://www.ceicdata.com/en/indicator/azerbaijan/number-of-subscriber-mobile

[21] Article 40 of the Law on Telecommunications requires that the following provisions are reflected in the contract and other documents should be a part of it: i) the period (time) and conditions of connection and use of end equipment to the telecommunications network; ii) conditions of termination and cancellation of the contract; iii) duties, rights and responsibilities of the parties; iv) the subscriber’s consent (objection) to the implementation of the duty specified in Article 33.1.3-1 of this Law; v) his/her consent (objection) to the display of information about the subscriber in survey-information sources; vi) other conditions not contrary to law. A copy of the photo ID of the subscriber must be attached to that contract.

[22] Azerfon LLC (“Nar”) respects your privacy. This Privacy Policy explains the collection, use, and sharing of information from or about you in connection with your use of the services. The term ” Services” refers to our video service, including the selection of television shows, clips, movies, and other content we offer (collectively, the “Content”) and our player for viewing the Content (the “Video Player”), as well as any other products, features, tools, materials, or other services offered from time to time by Nar through a variety of Access Points. The term “Access Points” refers to, collectively, the nar.az website (the “Nar Site”), applications, and other places through which the Services may be accessed, including websites and applications of Nar’s third-party distribution partners and other websites where users or website operators are permitted to embed or have otherwise entitled to publish the Video Player. https://www.nar.az/promo/nar-tv-privacy/index-en.html

[23] Privacy Policy about the application “Azercell Kabinetim”, “Azercell Kabinetim” is created by “Azercell Telecom” LLC as a FREE application. This SERVICE is rendered by “Azercell Telecom” LLC free of charge and is intended to be used the way it exists.  This web page is used for providing information about our policy on collection, usage and disclosure of personal data of customers determined to use our Service. If you choose to use this Service, you consent to the collection and usage of information in accordance with the present policy. The collected Personal Data is used for rendering and improving this Service. We undertake not to use or share your data with anyone except for those cases described in this Privacy Policy. The provisions used in this Privacy Policy have the same meaning as the Terms and Conditions set forth in my Cabinet unless otherwise stated in the Privacy Policy. https://www.azercell.com/my/assets/policy/privacy_policy_en.html

[24] Subscription Agreement of the Bakcell LLC, https://www.bakcell.com/az/abune-muqavilesi

[25]Subscription Agreement of the Azercell, https://www.azercell.com/assets/files/abunechi-muqavilesi/azercell_abune-muqavilesi.pdf

[26] Subscription Agreement of the Azerfon, https://www.nar.az/uploads/documents/Nar_abunechi_muqavilesi_new.pdf

[27] In accordance with article 4.2.7 of the Contract provided by Bakcell LLC, the Subscriber is responsible for the correctness of the information related to the Subscriber, reflected in this Agreement and submitted by the Subscriber to “Bakcell”, and immediately informs “Bakcell” about changes in the registration address, questionnaire data, contact number and other information related to this Agreement. 2 (no later than two) calendar days) must provide written information. The subscriber does not object to the display of this information in the survey information sources.

[28] “On The Protection of Personal Data in the Area of Telecommunication Services, With Particular Reference to Telephone services”

[29] The “Principles underpinning privacy and the protection of personal data” report adopted by the UN Special Rapporteur on the right to privacy, 2022, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/594/48/PDF/N2259448.pdf?OpenElement

[30] On 6 July 2019, during the meeting of the Working Group on “Business and human rights” held at the Ombudsman office (the meeting was dedicated to the topic “Ensuring the right to access information in the context of business and human rights”) the Commissioner noted that despite the existence of serious reforms in the relevant field, mobile operators distribute personal data without the knowledge and consent of the data owners, as a result of which they are inconvenienced and materially damaged and the investigation of complaints of citizens are carried out by companies without the participation of the complainant which also results with the lack of consideration of the complainant’s position in many cases; The Commissioner noted that such issues must be resolved. https://ombudsman.az/az/view/news/1354/ombudsman-yaninda-biznes-ve-insan-huquqlari-uzre-ishchi-qrupun-novbeti-toplantisi-kechirilib

[31] A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device.

[32] “Mobile operators have prepared a list of rally participants”, 28 January 2019, https://yenisabah.az/mobil-operatorlar-mitinq-istirakcilarinin-siyahisini-hazirlayib

[33] “Mobile operators responded to the accusations of the opposition”, 30 January 2019, https://www.azadliq.org/a/mitinq-bakcell-azercell-azerfon/29741836.html

[34] How is personal information protected in Azerbaijan? BBC News in Azerbaijani. February 7, 2019. https://www.bbc.com/azeri/azerbaijan-46875038

[35]Access to Mobile Services and Proof of Identity 2021. The GSMA Association. April 2021, https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/04/Digital-Identity-Access-to-Mobile-Services-and-Proof-of-Identity-2021_SPREADs.pdf

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike.