The State of Internet Freedom in Azerbaijan – 2022 legal overview

In this final installment of legal analysis, we offer an overview of some of the key developments covered over the last year with relevant updates within what is seemingly becoming a restrictive internet freedom environment.

Summary

From gradually declining space for online media, the visible pattern of offline persecution for online speech, to the lack of protection mechanisms against personal data infringements, and the ineffectiveness of legal remedies against targeted cyber-attacks and harassment,  the research and documentation carried out by Azerbaijan Internet Watch throughout 2022, has shown that over the past year, there has been a significant negative impact, on internet freedoms.

It’s been especially tough for independent media practitioners who are facing the potential prospects of fines, complete closures, and further measures of control and intimidation. The signs of the deteriorating situation were already sown in January 2021 when the government of Azerbaijan announced the establishment of a new media body – the Media Development Agency [MEDIA] and the drafting of a new Media Law. This law which was passed in December 2021, effectively authorized the MEDIA to impose a number of restrictions on media subjects, including a requirement for mandatory registration of journalists with the authorities. As a result, the Law on Media further consolidated the state control over independent and online media.

Over the course of the past year, the general prosecutor’s office continued to persecute online speech by excessively relying on the Law on Information, Informatization, and Protection of Information combined with existing national legislation empowering the Prosecutor’s Office to take measures where it deems necessary. As a result, as documented in this but also prior reports, there have been numerous cases of social media users and media professionals facing fines, and other arbitrary punishments for exercising their right to freedom of speech, all on vaguely defined legal grounds.   

AIW also identified that the government of Azerbaijan continuously failed to protect personal data effectively, either as a result of outdated laws, lack of technical capacity, or political will to address the issue. This is evident in numerous examples of hacked databases over the decade, where obtained personal data was shared or transferred to third parties, without consent, leaving countless users vulnerable. To make matters worse, the unlimited access by law enforcement and special service agencies to users’ personal data, leaves users at risk not to mention, the absence of privacy protection. The research carried out by AIW also showed there are no proper safeguard mechanisms against the abuse of personal data especially when this information is sold for commercial purposes, with subscribers left deprived of their right to know where their data is sent or sold.

Meanwhile, law enforcement authorities failed to offer an effective response to addressing complaints requesting a criminal investigation into the personal data infringements despite there being ample evidence proving that the personal data in question was indeed obtained through stolen or hacked accounts and later unlawfully distributed online.  

The Pegasus litigations, including the targeted cyber-attacks on social media accounts of media professionals and activists, have also proved ineffective as a result of significant flaws and delays in the investigation process. The domestic litigations regarding the use of surveillance software (Pegasus) led to legal applications to the European Court of Human Rights (ECHR), exposing ill-intended practices of state secret surveillance agencies and inadequate national legislation, which has failed to ensure the protection of the rights of all users of telecommunication services as guaranteed by the Convention and the national laws.

Above mentioned domestic litigations also exposed the lack of adequate protective measures for privacy rights, especially in cases of covert surveillance and state-sponsored cyberattacks. Judicial remedies in place have been insufficient, and the existing civil and administrative avenues, require a heavy burden of proof on claimants.

As such, the European Court of Human Rights (ECtHR) remains the most effective international avenue for legal remedies against violations of internet freedoms in Azerbaijan, despite the systematic delays in executing ECtHR judgments. The legal overview carried out throughout the past year indicates that bringing more applications before international tribunals, including the ECtHR and the Human Rights Committee, is essential for protecting privacy rights and countering violations.

Meanwhile, the government of Azerbaijan must adopt effective legal remedies and procedural safeguards against unlawful access to personal data and covert surveillance.

Restricting the Media: Implications for Online Media. Post-March 2022 developments  

Online media in Azerbaijan faces significant challenges with respect to freedom of expression and internet freedoms. There are a growing number of restrictive laws regulating the internet and online content. In addition, the government of Azerbaijan systematically blocks websites, throttles internet connectivity, and carries out cyberattacks and surveillance on human rights and political activists, independent media outlets, and their staff.

On March 24, 2022, Azerbaijan Internet Watch, in its comprehensive legal opinion “New Media Law: implications for online media/journalism in Azerbaijan”, highlighted the adverse implications of the new Media law specifically for on online media and journalistic activities online in Azerbaijan.

On February 8, 2022, the president of Azerbaijan, Ilham Aliyev approved the new Media Law. The law was adopted by Parliament on December 30, 2021. It was heavily criticized by local and international rights organizations who made repeated calls on the government to refrain from adopting the new Law given its restrictive nature. Critics of the draft law worried the new legal document would seriously threaten media freedom, including online media, as it contained provisions granting discretionary powers to the state authorities, including excessive media regulation, especially of online media platforms, as well as further restrictions on the work of practicing journalists, media companies, and relevant entities. Critics were also vocal about the absence of a broad and meaningful public consultation of the law prior to its adoption. The government of Azerbaijan strongly rejected any criticism.

And yet, AIW’s legal analysis, illustrated how the new law empowered media regulatory authorities to issue sanctions, further consolidating government control over the online media environment and journalistic activity, and imposing numerous requirements and regulations on audiovisual media, print media, online media subjects, news agencies, and journalist activities in Azerbaijan. The main concerns included the poorly worded definitions, excessive requirements, and restrictions for online media content, including registration requirements within the newly set up Media Registry for online media subjects, their staff, and freelance journalists working for online media.

The Media environment was already marred with violations and censorship in Azerbaijan prior to the adoption of the law. Numerous news websites were blocked while media practitioners affiliated with independent or opposition media platforms faced persecution and widespread intimidation. The most recent World Press Freedom Index by Reporters Without Borders ranked Azerbaijan 167th out of 180 countries in 2022.

Unlike previous media regulations implemented before 2009 which were mostly indirect restrictions and failed to meet satisfactory international human rights standards, laws that were adopted, amended, or implemented in the following years focused on more formal-legal measures. The new Media Law was the culmination of these measures.

Pre-2009 restrictions mainly consisted of de facto limitations (such as the imprisonment of journalists on bogus charges that were often unrelated to the media legislation) and financial “support” (one-time financial assistance packages, individual scholarships, various orders, medals, free housing after 2011).

Ahead of its adoption in the parliament, the new Media Law was drafted behind closed doors, without public discussions. Even after the draft law was revealed to the public, recommendations and proposals offered by media experts were not taken into account. Several international human rights organizations criticized the new Media Law and urged the Government not to enact the Law.

Among some of the problematic areas of the law are:

*Article 14:

This specific article and its paragraphs require that information published and (or) disseminated in the media (including online media) must meet at least 14 requirements. The law also requires that content published by media outlets should meet the requirements of the Law on Protection of Children from Harmful Information and the Law on Information, Informatization, and Protection of Information which provides an exhaustive list of requirements criticized for vagueness.

*Article 60:

Article 60 paragraph 5, requires online media to publish at least 20 articles per day to qualify as an online media platform.

This is the first time a law defines what constitutes online media. But the rationale behind these measures is unclear. The article does not mention for instance, how newsrooms with smaller teams are meant to produce twenty articles per day. Independent journalists who have voiced concern over this specific article say, this creates an environment of news pollution with platforms focused on producing poorer stories aimed at simply meeting the imposed quota.

It also requires that online media outlets disclose their organizational information on their respective websites;

It also requires online media to register with the tax authorities, identify and appoint a person responsible for editorial;

*Article 62:

Article 62.1 reads that permission from state bodies is not required for setting up online media. But Article 62.2 requires that an online media entity must apply to the relevant executive authority (Media Registry) 7 days prior to the publication or dissemination of the relevant media material.  In other words, while there is no need to apply for creating an online media platform, there is a requirement to apply for a permit once the online resource becomes operational and starts publishing.

Article 62.4 requires an additional opinion issued by the State Committee for Work with Religious Organizations before an online media focusing on religion and religious content is set up.

*Article 74 and Media Registry

The Media Registry system became operational in October 2022. The “rules for maintaining a media registry” — are a set of regulations determining the requirements and procedures journalists must meet in order to be eligible for inclusion as well as exclusion.

The Media Registry itself is an electronic information resource managed by the Media Development Agency, which is managed by the Supervisory Board consisting of a Chairman and 6 (six) members appointed by the President of the Republic of Azerbaijan.

Article 74.2 reads that in order for journalists to be included in the registry they must prove a degree in higher education as well as a number of other merit-based criteria.

Article 74.2.5 requires that journalists obtain and provide an employment contract with a media entity which must be registered with the Media Registry.

*Article 78

According to Article 78.3 of the Media Law (transitive provisions) both print and online media shall apply to the Media Agency within six months after the media registry is established. If an application for a media platform’s registration is denied, then the applicant is not considered a legal entity. Since journalists cannot be “legal entities,” it is unclear what happens to journalists whose registration is denied. 

There is no option to opt out from the registry as it is mandatory as per Article 78.3 of the Media Law.


Already, 200 media outlets and 180 journalists applied to the media registry according to the statement by the Media Agency. The Agency claims that approximately 160 media outlets were registered already. Independent media watchdogs, say around 40 media outlets were denied registration.

On January 12, 2023, the Executive Director of the Media Development Agency, Ahmed Ismayilov said, “media entities have six months to register, those who fail to do so, will be taken to court by the agency. It will be up to the court to decide whether to continue their activities or not.”

Following this statement, a group of independent and opposition journalists and media platforms have come together under a campaign “We do not want a licensed media.” They have been organizing round table discussions both online and offline calling on the government to cancel the registry and reform the bill on Media. In January, the group also issued a statement in which signatories claimed, “the new law will have very serious negative effects on the freedom of the media and journalists, and on their freedom of movement and activity.”  The signatories of the statement also said, the law was unconstitutional and was against the European Convention on Human Rights. As such, they intend to apply to the Constitutional Court and continue onwards with the European Court of Human Rights.

The campaign led to Ismayilov’s backing from previously made statements about court proceedings. Instead, Ismayilov reportedly said, the registration was on a voluntary basis. However, it remains to be seen whether this claim holds true.

Even some pro-governmental journalists criticized the media registry based on rigid regulation and arbitrary application.

Several media organizations challenged the application to the media registry in domestic courts. Among them is 24saat.org LLC (an online media outlet), which has submitted a claim against Media Agency. The news site, was one of the first news platforms denied registration on the grounds its content was not sustainable (referring to the requirement of publishing a minimum of 20 news items on daily basis). The site raised the issues of the illegality of that decision, and its incompatibility with the Constitution and international agreements, asking instead that the agency registers the site and recognizes the violation of the right to freedom of expression. On  January 9, 2023, the Baku Administrative Court held a preparatory hearing on the claim of 24saat.org LLC against the Media Agency. The court case continues.


The increased role of law enforcement & abuse of power in prosecuting online speech: post-May 2022 developments

There are two legislative acts that regulate internet freedom: 

In addition, the Code of Administrative Offences (Articles 388 and 388-1) determines administrative offenses for violations of the above-mentioned laws (the punishment includes fines and administrative detention).

Some Articles of the Criminal Code may be applied to the violations of the above-mentioned laws (such as Article 283 – incitement to hatred and enmity). As well as, the Law on Prosecutur’s Office which allows the respective prosecutor’s offices to issue warning to persons who might breach the law, inter alia, with their statements (Article 22).

The parliament amended the Law on Information, Informatization, and Protection of Information in December 2021 broadening the responsibility of the website owners – previously owner was obligated to remove content, but as per recent amendments he/she must also block access to relevant content (article). 

In general, both laws mentioned above can be described as online content regulation. Article 13.2 of the Law on Information and Article 14 of the Media Law regulate prohibited content and website owners as well as online media outlets must comply with these regulations. Otherwise, they would be subjected to blocking, suspension, administrative punishment, or warnings. Both legislative pieces prescribe a list of prohibited information. These lists are not exhaustive and very extensive. Moreover, the language of these lists is vague and open to arbitrary interference. 

In recent months, the Office of General Prosecutor (OGP) embarked on a spree, of resorting to official warnings and legislation on administrative offenses against online media. The Law on Prosecutor’s Office authorizes the OGP and subordinate prosecutor’s offices to issue official warnings. Also, the Code of Administrative Offenses (Article 54.2) gives unlimited power to the Prosecutor’s office to initiate administrative offense cases for any other case envisaged in the Code. Thus, the prosecutor’s office has the authority to take measures of responsibility and deterrence against the dissemination of prohibited information on the Internet under the existing legislation on administrative offenses and the law of the prosecutor’s office.

AIW’s legal analysis titled “Who regulates content online in Azerbaijan. Legal analysis,” published in May 2022, shared the increased pattern of prosecuting authorities’ inclination to intervene and persecute online media speech.

Since then, OGP continued to issue warnings and leveling administrative offenses in the following cases:

*On July 27, 2022, social media users Fikret Faramez oglu, the head of the “jamaz.info” website, Agil Alishov, the head of the “miq.az” website and Facebook users – Elchin Ismayil, Ali Jabbarli, and Nurana Fataliyeva were warned by the OGP as per Article 22 of the Law “On the Prosecutor’s Office”, not to allow for such negative circumstances in the future (on the grounds of dissemination of false information to undermine the business reputation of the Azerbaijan Army, create artificial agitation among citizens, as well as overshadow the work done in the direction of strengthening the state’s defense capabilities);

*The same day, Tofiq Shahmuradov (military journalist) was accused under Article 388-1.1.1 of the Code of Administrative Offenses by the OGP, and the Nizami District Court found him guilty and sentenced the journalist to one month of administrative detention (on the grounds of disseminating false information to undermine the business reputation of the Azerbaijan Army, create artificial agitation among citizens, as well as overshadow the work done in the direction of strengthening the state’s defense capabilities);

*On July 30, 2022, the Prosecutor General’s Office of Azerbaijan warned social network users Sakhavat Mammadov, Rovshan Mammadov, Zulfugar Alasgarov, Elgun Rahimov, Fuzuli Kahramani, Zeynal Bakhshiyev, and Ruslan Izzatli within the scope of the Law on Prosecution’s Office (on the grounds – the requirements to present facts and events impartially and objectively, and not to allow one-sidedness, were not observed during the publication of information in the media);

*On August 3, 2022, the OGP warned Facebook users – Tayyar Huseynli, Mubariz Sadigli, Nijat Dadashov, and Irshad Muradov over violating relevant online content regulation (incitement to hatred, privacy violation, and defamation);

*On August 4, 2022, the OGP warned Rustam Ismayilbayli (activist) over a social media post, based on Article 22 of the Law on Prosecutor’s Office;

*On September 16, 2022, Taleh Khasmmadov (human rights defender) was warned by the OGP based on Article 22 of the Law on Prosecutor’s Office (dissemination of unspecified information about the Azerbaijani army). The rights defender was warned not to violate laws.

None of these warnings and/or administrative offense cases meet the requirements of the freedom of expression and access to a fair trial envisaged within the international human rights standards or the constitutional obligations of the Republic of Azerbaijan.

Continued targeted cyber attacks against critics: post-November 2022 developments

 In November 2022, AIW published a lengthy legal opinion, “In Azerbaijan, hasty legislative measures in response to cyber threats, leave the protection of personal data on the back burner,” providing a comprehensive analysis of the domestic legislation and the government’s use of those laws and its adverse effects for the personal data protection in Azerbaijan.

Among identified gaps, the report noted that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

Azerbaijan although joined Convention 108, also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, in 2009, has not ratified Additional Protocol to Convention 108 which requires each party to establish an independent body to ensure compliance with data protection principles and lays down rules on trans-border data flows.

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

There is also the Law on Personal Data, adopted in May 2010 which regulates personal data through different normation legal acts, and the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted in September 2010. However, previously published analyses on the matter, point out a number of shortcomings.

The weakness of Azerbaijani safeguard mechanisms was acknowledged by Global Cybersecurity Index, which placed Azerbaijan in 40th  place among 194 countries ranked by the index. The European Union’s EU4Digital Initiative also criticized the weakness of Azerbaijani mechanisms. According to the findings, Azerbaijani legislation was described as outdated and unable to protect personal data effectively while the government of Azerbaijan demonstrated no political will to overcome this problem.

Even the intra-country public cybersecurity assessment report found flaws in protection mechanisms (a lack of cybersecurity benchmarks for digital web providers).

The government-issued national strategy for overcoming the problem has not indicated positive results yet. Cyber-attacks increased following the second Karabakh war and peaked again during the September border clashes in 2022. Large-scale cybersecurity attacks were committed against several state institutions and banks in April 2022 and August 2022 the authorities refrained from explaining the extent of the damage and did not publicize the results of counteracting measures.

Gaps in legal remedies addressing government-sponsored cyber attacks

 In February 2023, AIW, published the report “Legal overview legal remedies (or lack thereof) in cases of online targeting,” showing how Azerbaijan does not effectively protect digital rights. The report focused on two types of violations – cyber-attacks, and covert surveillance, which occur frequently but is not prevented due to inadequate legal remedies.

For instance, there is no automatic notification system for covert surveillance, and there is no independent internal review body. Additionally, there are no rules against prosecutorial discretion, no mechanism to address conflicts of interest between law enforcement and state security bodies, and challenges concerning judicial avenues.

Within existing legislation, the country’s criminal law is one that addresses cyberattacks and breaches of privacy. According to the Criminal Code (Articles 155, 156, and 271-273), cyberattacks and violations of privacy and correspondence rights are prohibited and shall be punished. According to these legal norms in case such an act is committed by law enforcement officials, they are categorized as aggravated circumstances. In these cases, the investigative authority is the prosecutor’s office.

There are civil legal remedies under tort law. However, tort law remedies are effective in practice if the relevant breaches are found in the criminal case. Domestic law in a substantive manner also contains constraints against covert surveillance.

According to domestic procedural law (Code of Criminal Procedure), initial inquiries must be conducted based on reports from victims or others. If the initial inquiry finds, reasonable suspicion on allegations it must remit its preliminary investigation. If the prosecutor’s office dismisses the allegations and refuses to initiate a criminal case, interested parties have the right to apply to district courts. District courts have the authority to remit the case back. Moreover, the relevant official bodies shall conduct disciplinary proceedings about the allegations about their officials on cyberattacks and illegal covert surveillance.

In addition, concerning cyberattacks, there is another review body within the Ministry of Digital Development and Transport – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities. However, it doest not have the legal power to conduct an investigation itself nor can it be considered independent.

In its February report, AIW shared recent cases demonstrating the lack of interest by the law enforcement authorities to offer protection in cases of digital rights violations despite having an ex officio power to conduct criminal investigations. Since then attacks have continued.

The most recent state-sponsored attack was against imprisoned political activist Bakhtiyar Hajiyev. Prior to his arrest, Hajiyev criticized the Government, especially the activities of the Ministry of Internal Affairs. Last year, he was abducted by unknown persons and was forced to delete posts about the Minister of Internal Affairs. Up until today, it remains unclear who abducted Hajiyev. The activist was also subjected to a nasty blackmail campaign.

In December 2022, following his return to Azerbaijan from a trip abroad, Hajiyev was summoned by the Baku General Police Department. He was charged with hooliganism and contempt of court. Based on these charges Khatai District Court applied for a remand in custody, the decision was extended until April 28, 2023. Hajiyev went on a hunger strike twice during his detention. After more than 50 days, he stopped at the end of February 2023.

At the end of December 2022, some anonymous social media accounts shared private correspondence between Hajiyev and the media editor (Vusala Mahirgizi). The leaked conversations alleged Hajiyev was a marionette of one of the clans. Hajiyev published a statement in which the activist said, the correspondence was leaked as a result of hacking of his private communication and that the allegations of Hajiyev being marionette were false.

It is worth noting that this correspondence was leaked during calls for the activist’s release. The leak was largely viewed as an attempt to weaken the advocacy campaign for the release of Hajiyev.

Since February 22, 2023, however, Hajiyev has been the target of another blackmail campaign. A number of anonymous users on Telegram under different channels [‘Exposure of Bakhtiyar Hajiyev’] have been disseminating some of Hajiyev’s private information as well as other women the activist has corresponded with were leaked. Currently, one of the Telegram accounts has 4681 subscribers. Similar information was leaked by fake Facebook accounts. In addition to leaked correspondence, sexually explicit photos of several women who appear with Hajiyev were shared by these accounts. As a result, at least two women were forced to leave their homes and hide from their families, fearing reprisals for ‘immorality’ from their families.

It has been identified, that some parts of the correspondence were probably photoshopped according to media professionals. However, there are others that may be authentic.

These anonymous users also published the names of activists threatening to leak their conversations with Hajiyev as well. Some of these activists are advocates calling for Hajiyev’s release. Some activists whose private communications were leaked said, they would submit a complaint about it.

In the meantime, the Ministry of Internal Affairs said these leaks had nothing to do with them and that during Hajiyev’s arrest, they did not seize any of his devices. However, according to Hajiyev’s lawyers, Hajiyev arrived at the Baku General Police Department in his car and left his phone in the car. The car stayed there for three days and it is likely his phone was compromised during this period.

Meanwhile, the Telegram channels are still active. Hajiyev submitted a complaint to the Prosecutor’s Office about the first incident of cyberattacks. According to his lawyers, they will add a second incident also.

What is next?

The overall analysis and reports indicate that domestic legal remedies in the substantive and procedural law do not protect privacy rights up to satisfactory levels in Azerbaijan. While substantive law at the formal level safeguards digital rights, in practice, these safeguards have no real effects. Judicial remedies are insufficient because criminal procedural avenues in some circumstances are insufficient, and in other circumstances, the district courts cannot force for initiation of the criminal case against officials as the latter still depends on investigative bodies like the prosecutor’s office who decide whether or not to open a criminal case.

Moreover, civil and administrative judicial avenues are also not operational because the heavy burden of proof lies on claimants. In addition, internal disciplinary proceedings are not effective due to a lack of independent oversight bodies. Also, Cyber Security Service lacks real mandatory power in cyberattack cases in addition to independence issues. Therefore, in the cases of covert surveillance and cyberattacks by state authorities, domestic remedies are not effective. It should be added that other aspects of domestic remedies concerning internet freedoms also have challenges. For example, blocking access and official warnings by the prosecutor’s office are especially problematic. 

It is well established by the ECtHR in several cases against Azerbaijan that the domestic courts consistently fail to conduct effective judicial oversight in politically motivated cases and instead merely uphold the position of the executive authorities (see, among others, Aliyev v Azerbaijan, appl. No. 68762/14, 71200/14, 20/09/2018, para. 224).  Consequently, it may be concluded that procedural law and its safeguards against internet freedom violations have serious flaws. Moreover, practical case studies further furnish that the relevant investigative authorities and domestic courts are not interested in pursuing criminal investigation cyberattacks, covert surveillance, and upholding internet freedoms in the cases of access blocking and official warnings. 

The European Court of Human Rights (ECtHR) might be considered one of the most effective international avenues in terms of providing legal remedies for violations of internet freedoms. The effectiveness of the ECtHR lies in its ability to issue binding judgments against member states (namely, Azerbaijan) which can result in the provision of legal remedies for the victims of rights violations. However, there are systematic delays in the execution of the ECtHR judgments by Azerbaijan*, the Committee of Ministers of the Council of Europe continuously supervises the execution of judgments of the ECtHR by the member states and urges states to obey the judgments.


 *The Committee of Ministers of the Council of Europe (to which Azerbaijan is a party) mandates that member states comply with the judgments and certain decisions of the European Court of Human Rights. And yet, the court’s decision on Khadija Ismayilova group v. Azerbaijan (Application No. 65286/13) calling on Azerbaijan to duly investigate committed acts, where they [the authorities] failed to do so, and any possible connection and links between crimes committed against journalists and their professional activities, was not complied with.


Given the existing environment, the likelihood of further cyber threats and attacks continuing is high.

The Telegram channels targeting Hajiyev remain. Unidentified persons with ties to the law enforcement authorities have access to Hajiyev’s personal data, and their goal to continue abusing this access is likely. Moreover, the state authorities have broad opportunities to compromise other activists’ accounts and to disseminate their private communications. Therefore, cyber threats currently create a difficult challenge for civil society activists. It should be added that the Government does not commit to changing personal data protection laws and taking practical steps to prevent state-oriented or third-party cyber attacks.

International human rights mechanisms, especially international tribunals are the main source of protection against violations of privacy rights and cyberattacks. Especially bringing more applications before the ECtHR and the Human Rights Committee is very important. Currently, there is no case law of the relevant international human rights mechanisms concerning cyberattacks and privacy violations against Azerbaijan. Despite Azerbaijan not adhering to the judgments of international tribunals on violations of rights, such kind of implementation procedure might help improve the situation.

Due to the current problematic situation within the legal profession (lack of lawyers, lack of interest, and fear among lawyers to take up human rights cases), many cases cannot be brought before international tribunals. Most human rights lawyers are already overwhelmed with the volume of cases they represent. Therefore, international assistance in bringing these applications before international courts is a useful tool for counteracting violations. International human rights organizations must assist local human rights lawyers in bringing cases of personal data infringements to international courts (ECtHR, UN).

In the meantime, the government of Azerbaijan must be urged to adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and broad discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and practical review of interception orders; (iii) the precautions to be taken when communicating the data to other parties.

An independent regulatory authority should be established to supervise and review complaints about personal data breaches. The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

International advocacy campaigning is a useful instrument for getting attention to the problem. New campaigns may bring the attention of international public bodies to the issue.

Finally, capacity-building activities on internet security issues should be continued and potentially targeted groups should be equipped with more information and tools in this area.

In Azerbaijan, hasty legislative measures in response to cyber threats, leave protection of personal data on the back burner  

In an increasingly digitalized world, collection, retention, and processing of private data have an essential role for both private and public bodies for the purpose of their services to citizens or clients/users. However, in the absence of strong data protection regulations and cybersecurity, privacy infringements are inevitable. The analysis shared below indicates that in Azerbaijan, the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.

The analysis also indicates that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.

To effectively illustrate how in practice, no control and legal remedies are implemented in relation to the collection and processing of personal data in the context of Azerbaijan, we specifically looked at the telecom industry and a wave of hacks into state-run databases containing vital citizens’ personal data.

Our findings underline the need to strengthen national laws and the practice of protecting individuals’ personal data in light of the growing number of infringement incidents of individuals’ personal data collected by state authorities and corporate entities as a result of existing legal loopholes and a wave of in recent years connected with personal data protection in Azerbaijan.

International standards

The protection of personal data which falls within the scope of the right to privacy is recognized internationally as a human right and countries are required to respect it. This right is enshrined in different international human rights treaties ratified by the Republic of Azerbaijan. These include the Universal Declaration on Human Rights (Article 12), International Covenant on Civil and Political Rights (Article 17), Convention on the Rights of the Child (Article 16), and International Convention on the Protection of All Migrant Workers and Members of Their Families (Article 14).

At the regional level, the right to privacy is protected by the European Convention on Human Rights. Article 8 (Right to respect for private and family life, home and correspondence) of the convention holds that telephone data, emails, and Internet use (Copland v. the United Kingdom, 2007 §§ 41-42), and data stored on computer servers (Wieser and Bicos Beteiligungen GmbH v. Austria, § 45), fall within the scope of protection of Article 8. The European Court of Human Rights also acknowledges that the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life, home, and correspondence, as guaranteed by Article 8 of the Convention (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], 2017, § 137; Z v. Finland, 1997, § 95).

The mere storage of personal data can violate a user’s right to privacy. The violation depends on the context in which the data is collected, the way it is collected, processed and used, and the outcome of the user data collection (S. and Marper v. the United Kingdom, 2008).

This right is further promoted and reinforced by the Council of Europe Convention 108 and a number of recommendations in relation to the protection of personal data adopted by the Committee of Ministers of the Council of Europe.

Azerbaijan has ratified various international and regional human rights treaties providing protection to the right to privacy and personal data, and as such, committed to ensuring relevant international human rights standards in relation to personal data protection. In 2009, the country joined Convention 108 also known as the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data. However, Azerbaijan is not a party to the Additional Protocol to Convention 108 which requires each party to establish an independent authority to ensure compliance with data protection principles and lays down rules on trans-border data flows.

A legally binding international data protection treaty establishes a number of principles for the signatory states to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, in which collected data is stored for no longer than a set time, and for a specific purpose, and that individuals have a right to have access to, amend or erase their data. 

Practice in Azerbaijan

The rights related to personal data are guaranteed by Article 32 of the Constitution of Azerbaijan, which provides the right to privacy of personal and family life, including information transmitted by various means of communication, including correspondence, telephone, mail, and telegraph. The Constitution prohibits acquiring, storing, using, and spreading information about a person’s private life without his/her consent.

The main law covering personal data in Azerbaijan is the Law on Personal Data adopted on May 11, 2010 [No 998-IIIQ available in Azerbaijani here]. Article 6, of the Law on Personal Data sets out the forms of state regulation,[2] which are regulated through different normative legal acts. 

In this context, personal data refers to determining – directly or indirectly – the information about the identity of the person [The Law on Personal Data, article 2.1.1]. This information includes name, last name, patronymic, date of birth, and other information contained in the documents of identity, as well as data revealing racial or ethnic origin, marital status, religious faith and beliefs, and health or criminal record of an individual.

The Law on Personal Data does not contain an exhaustive list of data that is deemed to be “personal data”. Thus, what constitutes personal data must be assessed on a case-by-case basis. Personal data is defined as any information referring directly or indirectly to an identified or identifiable individual (the “data subject”). The Data Protection Law also sets forth special categories of personal data. These cover information referring to a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, personal health, sex life, and criminal record. In addition, the processing of biometric data is regulated by the Data Protection Law.

As per, the Decision of the Cabinet of Ministers of Azerbaijan about “the requirements for the protection of personal data” adopted on September 6, 2010, seven state institutions are granted the authority to supervise the fulfillment of the requirements for the protection of personal data. These are the Ministry of Digital Development and Transportation; the State Security Service; the Foreign Intelligence Service; the Ministry of Internal Affairs, the Ministry of Justice; the Special State Protection Service; the Special Communication and Information Security State Service; and the Financial Markets Control Chamber.

Under the Law on Personal Data, collection, processing, and cross-border transmission of personal data of any physical person are permitted only with the written consent of that person. Similarly, Article 6 of the Convention for the Protection of Individuals with Regard to the Processing of Personal Data states that only where appropriate safeguards are enshrined in law, complementing those of this Convention that special categories for revealing personal data shall be allowed. Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights, and fundamental freedoms of the data subject, notably the risk of discrimination.

In the context of Azerbaijan, the country’s Law on Personal Data (Article 13.2.1) provides an exception where personal data can be made accessible to third parties without the consent of the subject. This exception is based on Article 5.4 of the Law on Personal

A recent wave of cyber threats and Azerbaijan’s response 

Azerbaijani citizens have long suffered significant harm from hacks into the database of key public institutions or from monopolistic companies transferring personal user data without users’ consent. This has been the case at least since 2011.

2022 was no exception. Multiple data leak incidents involving the personal data of millions of citizens obtained from allegedly government agency databases were reported in the course of this year. Officials say cyber-attacks have increased in the aftermath of the second Karabakh war [September 2020] and peaked once again during the September border clashes this year. Weak protection mechanisms have placed Azerbaijan 40th among 194 countries in the Global Cybersecurity Index in 2021.

The most recent cyber-attack took place on August 8, 2022. Large-scale cyber-attacks against a number of state institutions and banks in Azerbaijan were reported by the State Service for Special Communication and Information Security. No further details of the hack and how much data was stolen remained unclear.

On April 20, 2022, the website of the Compulsory Insurance Bureau of Azerbaijan was compromised. The perpetrator(s) of the hack claimed that the entire system of the Compulsory Insurance Bureau was destroyed, and more than 40 million pieces of information were seized. The online platform of the State Motor Transport Service (e-fn.danx.gov.az) was also among hacked institutions.

According to the June 2020 “Cybersecurity guidelines for the Eastern Partnership countries,” released by the European Union’s EU4Digital Initiative, the main obstacles and gaps in the area of cybersecurity in Azerbaijan were the country’s outdated national legislation and insufficient commitment of national authorities to cybersecurity matters.[3]

The country’s own Cybersecurity Governance Assessment Report published in November 2020, indicated that there was a lack of cybersecurity benchmarks for digital web providers, due to the absence of a competent authority in the field of cyber/information security to supervise public and private digital service providers with regard to the implementation of cyber/information security requirements.

In light of recent cyber threats, the government of Azerbaijan has come up with several legislative and policy measures – a document on the security of critical information infrastructure and information and cyber security strategy. On September 21, 2022, the head of the department of the State Service for Special Communication and Information Security of Azerbaijan, Tural Mammadov, stressed that the cyber strategy submitted to the Cabinet of Ministers will be approved soon. The “National Strategy of the Republic of Azerbaijan on Information Security and Cybersecurity for 2020 – 2025” has been in the works since March 2020.

New legislative amendments

On April 17, 2021, President Ilham Aliyev, signed an order “On some measures in the field of ensuring the security of critical information infrastructure.” The order authorized the State Security Services of Azerbaijan to ensure the security of critical information infrastructure including the fight against cyber threats.[4]

In May 2022, the parliament approved amendments to the Law of the Republic of Azerbaijan “On information, informatization, and protection of information.” The amendments included 9 new concepts and a new chapter, named “Security of critical information infrastructure,” which consisted of 6 articles. Amendments that entered into legal force on July 6, 2022, brought new concepts such as critical information infrastructure, cyber security service provider, information security, cyber threat, cyber-attack, and cyber incident to the national legislation. In connection with the adoption of amendments to the Law “On information, informatization, and protection of information” two new articles were added to the Code of Administrative Offenses providing administrative liability for the violation of the order ensuring the security of critical information infrastructure.

Article 371-1 envisages liability for violation of the rule of ensuring the security of critical information infrastructure. Article 602-3 envisages liability for failure to fulfill the requirements of the authorized body (official) in the field of ensuring the security of critical information infrastructure.

On July 16, 2022, the decree of the Cabinet of Ministers was tasked to prepare draft rules for ensuring security and proposals on the criteria of critical information infrastructure and facilities within 2 months.

Personal data vs. surveillance and commercial use of personal data   

How do national laws protect personal data in the telecom industry?

Collection, processing, and protection of personal data, including individual information created by means of technology [sms, phone calls and etc.] are mainly regulated by several laws [on Telecommunications, On information, informatization, and protection of information, and on Personal Data] and normative legal acts of the Cabinet of Ministers and other central executive powers.

In Azerbaijan, customers entering into a contract with mobile operators [to complete SIM card registration] are obligated to provide an extensive amount of personal data. This is regulated by Article 40 of the law On Telecommunications and the decision of the Cabinet of Ministers dated July 7, 2005, “On the approval of the conditions required for the sale and use of communication facilities by communication enterprises (operators), as well as their dealers.”[5] The collected user data is then stored in the single database of operators and on AzInTelecom (State company of the Ministry of Digital Development and Transportation) in an electronic format.[6] According to a decision of the Cabinet of Ministers, the Information Computing Center of the Ministry of Digital Development and Transport where the personal data are gathered and processed is established together with the Ministry of Internal Affairs and State Security Service.[7]  

Pursuant to purposes, and operation-search activities and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.[8]

The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators.[9] That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.[10]

The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances including in an event the state security and/or its

Pursuant to article 445 of the Criminal Procedure Code, search operations such as interception of telephone conversations; monitoring of mail, telegraph, and other correspondence; and extraction of information from technical communication channels and other technical devices are carried out only on the basis of a court decision.[11] However, according to Article 10, paragraph 4 of the Law on “Operation and Search Activities”, and Article 177.4 of the Criminal Procedure Code, these search operations may also be carried out without a court decision, based on a reasoned decision of an authorized officer of the body carrying out the search operation.[12] This decision must be presented to the court conducting judicial oversight and to the prosecutor conducting the procedural management of the preliminary investigation within 48 hours after the relevant measures are taken. In practice, most of the investigations carried out based on a reasoned decision of an authorized person have [13]

The selling/giving of personal data to third parties for commercial purposes

Azerbaijani media and social networks regularly discuss the reports and complaints connected with the processing (transfer/sale) of SIM card users’ personal data without their consent for commercial purposes.

In accordance with article 23.1 of the Law of the Azerbaijan Republic “On Advertising” dated May 15, 2015, No. 1281-IVQ, the telecom operator and provider may broadcast advertisements based on the contract concluded with the advertiser. The telecom operator and provider can send the advertisement to the subscriber individually only if the sending of the advertisement is agreed upon in the written contract concluded between the company and the subscriber. The existing law obligates the telecom operator and the provider to give the subscriber the option to opt-out from receiving advertisements at any time or to broadcast only the advertisements the subscribers wish to receive ads from telecom operators.[14] Similar provisions are envisaged in Article 50-1 of the Law “On Telecommunications.”[15]

According to Article 9.10 of the Law on Personal Data, personal data collected and processed in corporate information systems may be presented to third parties for a fee. This procedure is regulated by the Decision of the Cabinet of Ministers, “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” which was adopted on March 2, 2011.[16] According to this regulation, the sale/transfer of data to a third party only applies to the open category of personal data.[17] The open category of personal data refers to the (i) information which has been anonymized in a specified manner, (ii) made public by the subject, or (iii) entered into the information system created for general use, with the subject’s consent. The Regulation (article 2.1) further requires a contractual agreement between the owners of personal data and the third party intending to obtain the personal data and additional permission of the state body that maintains the state register of information systems (Ministry of Digital Development and Transport).[18] The Regulation (article 2.3) also determines mandatory contractual clauses for the agreement on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis. It establishes specific duties[19] for the third parties who intend to obtain personal data.

However, agreements between operators and providers, and third parties on the sale of personal data are not provided to owners of personal data (individuals whose personal data was transferred) or published. Therefore, individuals are deprived to know the scope of the data sold and further specifics of the use of their personal data.

However, the Law on Personal Data (article 7.1.2.) provides that owners of data have the right to request the legal justification for the collection, processing, and transfer of personal data about themself and to receive information about the legal consequences (for themselves) of the collection, processing, and transfer of this data to third parties.

How is the consent given?

There are over ten million mobile phone subscribers in Azerbaijan.[20] Azercell LLC, Bakcell LLC, and Azerfon LLC (A brand of Nar) are the three major mobile phone operators. Subscription contracts of all three major mobile operators reveal that all contracts include many similar conditions because of the Law on Telecommunication which sets the mandatory clauses for such contracts between operators and subscribers.[21] As such, there is little difference in the way the operators use personal data. The subscription agreements individuals enter with mobile operators (at least in the subscription agreements distributed on the websites of Bakcell LLC and Azercell LLC) include provisions indicating “giving consent to receive advertising SMS”. Individuals often overlook these conditions or pay no attention.

A review of the consent clauses in the subscription agreements demonstrates that such provisions are not clearly reflected and do not explicitly state concrete implications for subscribers when choosing “to receive advertisement SMS” and what this means from the protection of personal data perspective.

However, the Law on Personal Data (article 8.2) sets out that the individuals’ written consent for the processing of personal data must include the purpose for collecting and processing personal data, the lists of personal data consented to be processed by the subject, and their processing operations, the validity period of the subject’s consent and the conditions for its withdrawal, conditions for destruction or archiving of personal data collected about the subject in accordance with the legislation after the expiration of the specified period of storage of personal data in the relevant information system or after the subject’s death.

As the contracts between the advertising companies and mobile operators are not public, it is not clear how the mobile operators allow third parties “to send advertising SMS” to subscribers. Being aware that the operators use the personal information of subscribers to sell targeted ads, subscribers do not know whether such contracts also ensure the transfer of the phone numbers to third parties. Or what concrete personal data is used by mobile operators to identify eligible subscribers to send advertising SMS?

None of the three main telecom operators have published Privacy Policies in relation to the protection of personal data in regard to using Sim Cards. Azercell LLC[22] and Azerfon LLC[23] do have privacy policies in relation to their policies on data protection.

In the example of the subscription agreement of Bakcell LLC[24], the contract includes one article that refers to advertisement:  “4.3. On the basis of this Agreement, the Subscriber agrees to the automatic sending of information, entertainment, and advertising SMS to their number, and if the Subscriber refuses to receive any type of SMS, the sending of such SMS to the corresponding number is stopped.”

In the sample contract of Azercell LLC [25], the provision of “whether the subscriber consents to receive advertising SMS” requires an affirmative answer. This is good, especially in comparison to the sample contract of Azerfon LLC (Nar)[26], where there is no clause regarding obtaining consent for such advertisement services. Instead, provision 6.4. of the contract states, “By signing this contract, the subscriber agrees to receive advertising or entertainment SMS or any other information to the number(s) he/she is using”. In addition to that, the Azerfon LLC (“Nar”) Privacy Policy states that “the subscriber accepts that Azerfon is not responsible for the disclosure of his/her information to third parties through the “Nar+” service application”.

In practice, individuals buying the sim cards are offered standard contracts and are not offered an opportunity to effectively refuse to give consent to receiving such services. It seems that the subscriber is offered the opportunity to unsubscribe from ads only after activating the sim card. It is then the subscriber’s responsibility to contact the operator and ask for a specific code that would stop this service.

None of the three mobile operators’ contracts contain a provision on the operators’ responsibility in relation to the protection of subscribers’ personal data even though operators receive an extensive amount of personal information during the sale of sim cards. The operators also oblige subscribers to update the operators in case of any changes to their personal data.[27] Such clauses in the contracts in the case of all three mobile operators are clearly undisputable as mobile operators design their contracts unilaterally, and the subscriber has no effective option to remove those conditions from the contract except in the subscription contract of Azercell LLC.

Different Council of Europe instruments refers to consent about the processing of users’ personal data. Bearing in mind that provisions of the Council of Europe Convention for the Protection of Individuals with Regard to the Processing of Personal Data apply to the automated data processing activities of network operators and parties providing telecommunication services, the telecom companies must respect the requirements of the Convention, which Azerbaijan is a party to.  Thus, Article 5 (2)– “Legitimacy of data processing and quality of data” of the Convention stipulates that “each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.”

Recommendation (95)4 of the Committee of Ministers of the Council of Europe to Members States[28] recommends that the collection and processing of personal data in the area of telecommunications services should take place and develop within the framework of data protection policy, taking into account the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and in particular the principle of purpose specification (3.1). The mentioned Recommendation also envisages that “Domestic law should provide the appropriate guarantees and determine the conditions under which subscriber data may be used by network operators, service providers, and third parties for the purposes of direct marketing by telephone or by other telecommunications means (7.8).

The “Principles underpinning privacy and the protection of personal data” (2022) adopted by the UN Special Rapporteur on the Right to Privacy analyses international law in relation to consent and stresses the consent of the subject (owner of the personal data) as one of the legitimate grounds for the processing of personal data.[29] The UN Special Rapporteur concludes that the principle of consent is closely linked to the principle of legality, as it is the most common internationally recognized permissible ground for the processing of personal data (paragraph 31).

KEY FINDINGS

Do mobile operators give subscribers’ phone numbers and other personal information to other companies?

In the absence of publicly available information about contracts between mobile operators and third parties concerning the sale or transfer of private data; the lack of privacy policies of telecom companies, including the lack of any comprehensive data on protective legislation and oversight, it is difficult to say that SIM users’ personal data is not shared with other private and public databases, is not used for enabling the companies and states to create specific profiles of individual citizens, and is enabling other third parties to access a vast amount of data for commercial purposes.

In March 2017, Azerbaijan’s Supreme Court judgment “Viza” Law Firm v. “Azercell Telecom” LLC and “Sindbad” LLC established that one of the main mobile telecom companies – Azercell LLC transferred one of its subscribers (client) to another company which used the provided number, to send advertisement SMS despite there being no legal ground (contract) between the company sending advertisement and the user receiving the notifications via SMS. The Supreme Court judgment allows concluding, that mobile operators may share users’ personal data with third parties for direct marketing without explicitly mentioning this in the subscription contracts.

In July 2019, Azerbaijan’s Commissioner for Human Rights expressed concern over serious problems in data protection in the telecom industry where mobile operators were distributing users’ personal data without their knowledge and consent.[30]

Do the law-enforcement authorities have access to personal data gathered in the telecommunication systems beyond the rule-based surveillance regime

The existing system around SIM card registration allows law-enforcement agency access and permission to govern an extensive database of vast private data of SIM card users. This puts individuals at risk of being tracked or targeted and having their private information misused. Such access undermines the ability of users to communicate anonymously and one’s right to privacy.[31]

This also poses a threat to vulnerable groups and facilitates an environment of state surveillance making tracking and monitoring of users, easier for law enforcement authorities.

One prominent example illustrating this trend was documented in January 2019 when after an opposition protest rally, scores of rally participants received calls on their mobile phones from the local executive authorities and the police. All were interrogated about their participation in the rally. As such, mobile operators have long been accused by activists of providing their mobile numbers to the authorities.[32] Responding to these claims, the mobile operators said the data shared with law enforcement was provided based on legislation and official request.[33] Meanwhile, the Ministry of Interior confirmed that the rally participants were indeed called in for questioning on the grounds that this was a “police activity, and the police were carrying out both public and operation-search and other investigative activities.”[34]

Some experts suggest that having mandatory SIM card registrations further fuels their illicit use. It creates a need for a black market, as people want to communicate anonymously and it encourages identity fraud as people try to evade the system altogether.[35]

Conclusion

National legislation of Azerbaijan regulating the telecommunication sector must be reviewed in line with the established principles and standards of the European Convention on Human Rights, including the Convention for the Protection of Individuals with Regard to the Processing of Personal Data.

The national laws must be designed in a way where personal data is processed lawfully (with free, informed, unambiguous consent of the data subject or on the basis of law) for clearly defined legitimate purposes. In a context where national security and public safety interests are so often used to justify unprecedented intrusions on human rights and freedoms, it is crucial to ensure that new legislative and policy response to cyber threats does not harm individuals’ personal data.

In particular, all national legal frameworks in the areas of surveillance, interception, protection of personal data, and other relevant areas, must be accessible to an individual in question, who must be able to foresee the consequences of its application to him/her.

Government must adopt effective legal remedies and procedural safeguards against arbitrary and unlawful control of personal data with excessive and wide discretion. Minimum safeguards for the exercise of discretion by public authorities must include detailed rules on (i) the nature of the offenses (grounds) which may give rise to an interception order; (ii) duration, scope, and effective review of interception orders; (iii) the precautions to be taken when communicating the data to other parties. Nationally, an independent regulatory authority should be established to ensure supervision and review complaints related to personal data breaches.

The laws must also be formulated with sufficient clarity and precision to give citizens an adequate understanding of the conditions and circumstances in which the authorities are empowered to resort to this secret and potentially dangerous interference with the right to respect for private life and correspondence.

National laws also must be amended in order to ensure that telecommunication services offer guarantees for users’ privacy, the secrecy of their correspondence, and the freedom of communication. Furthermore, existing rules equipping and enabling the use of special tools within the telecommunication networks must be re-designed in order to provide privacy for users and mitigate risks of abuse of personal data by the authorities.

National legal frameworks should encourage the private sector (in particular in the areas of mass personal data collection and processing) to develop data protection policies.

on increasing cyber security within the critical information infrastructure should recognize that the private sector is responsible for cyber security however it should not enhance government control over the personal data collected and processed by the private sector. The government’s appetite to control telecom infrastructure and information in cyberspace is unlikely to bring positive changes with respect to personal data protection in Azerbaijan.

In this context, the cyber security measures must put personal data at the heart of the planned legislative and policy measures, in particular removing the risk of abuse of personal data by telecommunications service providers and state authorities.

Footnotes

[1] Rec(2002)9 18/09/2002 on the protection of personal data collected and processed for insurance purposes;  Rec(95)4 07/02/1995 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services;

Rec(91)10 09/09/1991 on the communication to third parties of personal data held by public bodies;  Rec(85)20 25/10/1985 on the protection of personal data used for the purposes of direct marketing.

[2] i) establishing the legal basis for the collection and processing of personal data; (ii) ensuring basic human and civil rights and freedoms during the collection and processing; (iii) licensing of activities on collection and processing of personal data; (iv) conducting state registration of information systems of personal data; (v) certification of information systems of personal data and other ICT tools; and etc.

[3] According to the report findings, national law on the protection of personal data is outdated, and national legislation does not require data breach notifications. The report also identifies the main challenges as insufficient funding, lack of qualified personnel and resources in the cybersecurity area, and insufficient commitment of national authorities to cybersecurity matters. The report also indicated that security audits are carried out for verifying whether baseline cybersecurity measures are implemented only banking sector. It further notes that there is no formal definition of Critical Information Infrastructure (CII) and CII operators are not identified at the national level.

[4] The State Security Service of Azerbaijan performs those functions jointly with the State Service of Special Communication and Information Security of Azerbaijan toward the state bodies, and public legal entities created on behalf of the state, in relation to legal entities belonging to the state.

[5] The Cabinet of Ministers dated July 7, 2005, requires the collection of personal data from subscribers such as subscriber’s Sim card number, parameters of the subscriber identification module (IMSI, etc.), mobile device’s international identification number (IMEI), ID card or Passport (with photo), concrete and detailed address and place of residence of the subscriber, bank account and registration details for legal entity subscribers and etc. https://e-qanun.az/framework/10541;

[6] The implementation of the changes to the mobile number sale rules is being finalized, E-Gov.az portal, https://www.e-gov.az/az/news/read/349

[7] It is noted in the decision (preamble) of the Cabinet of Ministers that the rule (auth: a mandatory collection of personal data and establishing a unified database of sim card holders) was adopted in order to implement the provisions specified in Articles 39.1 of the Law “On Telecommunications”, Articles 9 and 12 of the Law “On Operation-Research Activities” and 17.4 of the Law “On Intelligence and Counter-Intelligence Activities” that obliging telecommunication companies to create conditions to for search and operational activities of law enforcement authorities. Thus, provisions in various legal acts referred to, as well as these regulations, allow law enforcement agencies (Ministry of Internal Affairs and State Security Service) to jointly form a database where personal data collected by communication enterprises is collected (paragraphs 3 and 4 of the Regulations).

[8] Pursuant to article 10.5 of the Law on Personal Data, article 39.1 of the Law on Telecommunications, and according to article 17.4 of the Law on Intelligence and Counterintelligence Activities, telecom operators must create conditions for conducting intelligence and counterintelligence, and operation-search activities in accordance with law and solve relevant organizational and technical issues in relation to such activities within the operators’ information systems.

[9] In accordance with the Presidential Decree No. 507 dated June 19, 2001 “On the division of powers of search operations’ entities while carrying out search operations,” legal entities and individuals providing communication services are required to install special equipment that provides access to information for the search and operation purposes.  https://e-qanun.az/framework/3569#_ednref12

[10] On the approval of the “Rules on ensuring information security during the implementation of operational search measures in communication networks” approved by the Presidential order on 2 October 2015, https://e-qanun.az/framework/30840

[11] Wiretapping of telephone conversations ad extraction of information from technical communication channels and other technical means are carried out by the Ministry of Internal Affairs and the State Security Service in accordance to Presidential Decree No. 507 dated June 19, 2001 “On the distribution of authorities of entities of operative-searching activity in the implementation of investigation and search operations” available (in Azerbaijani)  http://e-qanun.az/framework/3569

[12] In this case, the authorized official of the body conducting the search operation shall, within 48 hours of carrying out the search, submit the reasoned decision on the conduct of the search operation to the court exercising judicial supervision and the prosecutor.

[13] Dissent opinion of judge Isa Najafov, in the decision of the Plenum of the Constitutional Court “On the interpretation of some provisions of Articles 137 and 445.2 of the Code of Criminal Procedure of the Republic of Azerbaijan” February 12, 2015. Available (in Azerbaijani) at: https://constcourt.gov.az/az/decision/1159

[14]  The telecommunication operator and provider shall be responsible for sending advertising without the consent of the subscriber or contrary to the provisions of this Law. Law on Advertising (Article 23), https://e-qanun.az/framework/30348

[15] The Law On Telecommunications, https://e-qanun.az/framework/10663

[16] “Regulation on the transfer of personal data collected and processed in corporate information systems to third parties on a paid basis” adopted on March 2, 2011, https://e-qanun.az/framework/21385

[17] The person’s name, surname, and patronymic are permanent open personal information. (The Law on Personal Data, Article 5.3).

[18] State registration of Information Systems and cancellation of state registration is carried out by the Ministry of Digital Development and Transport of the Republic of Azerbaijan as determined by the Decision (article 1.3) of the Cabinet of Ministers On approval of “Rules for state registration of information systems of personal data and cancellation of state registration” dated on August 17, 2010. https://e-qanun.az/framework/20039

[19] The contract should specify the content of the provided data, purposes of acquisition, fields of use, and methods, and the following obligations of the third party acquiring personal data should be provided: ensuring the protection of obtained personal data and the rights of personal data subjects in accordance with the Law of the Republic of Azerbaijan “On Personal Data”; not to give or transfer the obtained personal data to other persons in any way; exclusion of all threats and dangers for personal data subjects when using personal data, and not making offers that may cause them unwanted or additional costs, as well as anonymous or misleading personal data subjects. The material, technical and organizational capabilities of third parties who obtain personal data collected and processed in corporate information systems or their personal data operators must be in accordance with the purpose of data acquisition and the requirements for their protection.

[20] 2022 CEIC Data, an ISI Emerging Markets Group Company, https://www.ceicdata.com/en/indicator/azerbaijan/number-of-subscriber-mobile

[21] Article 40 of the Law on Telecommunications requires that the following provisions are reflected in the contract and other documents should be a part of it: i) the period (time) and conditions of connection and use of end equipment to the telecommunications network; ii) conditions of termination and cancellation of the contract; iii) duties, rights and responsibilities of the parties; iv) the subscriber’s consent (objection) to the implementation of the duty specified in Article 33.1.3-1 of this Law; v) his/her consent (objection) to the display of information about the subscriber in survey-information sources; vi) other conditions not contrary to law. A copy of the photo ID of the subscriber must be attached to that contract.

[22] Azerfon LLC (“Nar”) respects your privacy. This Privacy Policy explains the collection, use, and sharing of information from or about you in connection with your use of the services. The term ” Services” refers to our video service, including the selection of television shows, clips, movies, and other content we offer (collectively, the “Content”) and our player for viewing the Content (the “Video Player”), as well as any other products, features, tools, materials, or other services offered from time to time by Nar through a variety of Access Points. The term “Access Points” refers to, collectively, the nar.az website (the “Nar Site”), applications, and other places through which the Services may be accessed, including websites and applications of Nar’s third-party distribution partners and other websites where users or website operators are permitted to embed or have otherwise entitled to publish the Video Player. https://www.nar.az/promo/nar-tv-privacy/index-en.html

[23] Privacy Policy about the application “Azercell Kabinetim”, “Azercell Kabinetim” is created by “Azercell Telecom” LLC as a FREE application. This SERVICE is rendered by “Azercell Telecom” LLC free of charge and is intended to be used the way it exists.  This web page is used for providing information about our policy on collection, usage and disclosure of personal data of customers determined to use our Service. If you choose to use this Service, you consent to the collection and usage of information in accordance with the present policy. The collected Personal Data is used for rendering and improving this Service. We undertake not to use or share your data with anyone except for those cases described in this Privacy Policy. The provisions used in this Privacy Policy have the same meaning as the Terms and Conditions set forth in my Cabinet unless otherwise stated in the Privacy Policy. https://www.azercell.com/my/assets/policy/privacy_policy_en.html

[24] Subscription Agreement of the Bakcell LLC, https://www.bakcell.com/az/abune-muqavilesi

[25]Subscription Agreement of the Azercell, https://www.azercell.com/assets/files/abunechi-muqavilesi/azercell_abune-muqavilesi.pdf

[26] Subscription Agreement of the Azerfon, https://www.nar.az/uploads/documents/Nar_abunechi_muqavilesi_new.pdf

[27] In accordance with article 4.2.7 of the Contract provided by Bakcell LLC, the Subscriber is responsible for the correctness of the information related to the Subscriber, reflected in this Agreement and submitted by the Subscriber to “Bakcell”, and immediately informs “Bakcell” about changes in the registration address, questionnaire data, contact number and other information related to this Agreement. 2 (no later than two) calendar days) must provide written information. The subscriber does not object to the display of this information in the survey information sources.

[28] “On The Protection of Personal Data in the Area of Telecommunication Services, With Particular Reference to Telephone services”

[29] The “Principles underpinning privacy and the protection of personal data” report adopted by the UN Special Rapporteur on the right to privacy, 2022, https://documents-dds-ny.un.org/doc/UNDOC/GEN/N22/594/48/PDF/N2259448.pdf?OpenElement

[30] On 6 July 2019, during the meeting of the Working Group on “Business and human rights” held at the Ombudsman office (the meeting was dedicated to the topic “Ensuring the right to access information in the context of business and human rights”) the Commissioner noted that despite the existence of serious reforms in the relevant field, mobile operators distribute personal data without the knowledge and consent of the data owners, as a result of which they are inconvenienced and materially damaged and the investigation of complaints of citizens are carried out by companies without the participation of the complainant which also results with the lack of consideration of the complainant’s position in many cases; The Commissioner noted that such issues must be resolved. https://ombudsman.az/az/view/news/1354/ombudsman-yaninda-biznes-ve-insan-huquqlari-uzre-ishchi-qrupun-novbeti-toplantisi-kechirilib

[31] A SIM card is more than a phone number. It allows authorities to easily track people’s locations and movements. All of their online activity—websites visited, search queries, purchases, and more—can be traced back to their device.

[32] “Mobile operators have prepared a list of rally participants”, 28 January 2019, https://yenisabah.az/mobil-operatorlar-mitinq-istirakcilarinin-siyahisini-hazirlayib

[33] “Mobile operators responded to the accusations of the opposition”, 30 January 2019, https://www.azadliq.org/a/mitinq-bakcell-azercell-azerfon/29741836.html

[34] How is personal information protected in Azerbaijan? BBC News in Azerbaijani. February 7, 2019. https://www.bbc.com/azeri/azerbaijan-46875038

[35]Access to Mobile Services and Proof of Identity 2021. The GSMA Association. April 2021, https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/04/Digital-Identity-Access-to-Mobile-Services-and-Proof-of-Identity-2021_SPREADs.pdf

in Azerbaijan rape survivor continues to face harassment online by the perpetrator

Asgar Agazade was arrested last year following an accusation by a rape survivor. His victim, is an activist, Sanay Yagmur. Agazade has denied the accusation from the start however, seven months into the ongoing investigation and the trial, he is now facing a possible seven-year prison term. In addition, new evidence based on Agazade’s own statement now reveals that the perpetrator continued harassing and threatening Yagmur online.

The new evidence emerged during the hearing on June 22, in which, Agazade confessed hacking Yaghmur’s email address and obtaining private information about her travel itinerary which his family then used to target the activist on social media platforms and leaking the false information to local media with the goal of humiliating and further threatening the activist. The perpetrator’s family, alleged Yaghmur was lying about her studies abroad [Yaghmur left for her master’s degree last fall.] 

Lawyer Zibeyde Sadigova, who represents Yagmur, said unlawfully obtaining personal information, and spreading it, is a criminal act in itself. However, no further steps have been taken to investigate this criminal act. 

Some, including Yagmur’s family, suspect that the perpetrator was not acting alone in hacking into Yagmur’s email and obtaining private flight information and that the State Security Services was on the case as well. 

In a separate blackmail attempt, the perpetrator’s family alleged in an interview with a website Axar.az that Yagmur lived in Istanbul and was married to a woman. The claim was later retracted by the perpetrator’s sister in an interview aired on the YouTube show “Let’s talk straight.” 

Toplum TV Facebook page hacked via SMS interception

On November 3, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including one Toplum TV shared yesterday, which was a discussion with an opposition politician Ali Karimli. According to the founders who spoke to AIW, the hacker(s) accessed the page through another founder’s Facebook account, deleted videos, page likes, and changed the name of the page. At the time of reporting this story, the Facebook page was recovered.

In a Facebook post, Alasgar Mammadli, one of the founders of the platform explained in detail how the hacker(s) accessed Toplum TV’s Facebook page by compromising his personal account first.

Translation: This morning at 8.54AM local time, my Facebook account was compromised. The compromise was made possible using my personal mobile phone number. The hacker acquired access to personal information illegally. I only learned about what happened half hour later as I was stuck in city traffic, and had limited access both to my mobile phone and personal computer.  The compromise was made possible by intercepting an SMS sent to my mobile sim card. Meaning, messages sent to my mobile number, were used in parallel by technical supervisors overseeing the telecommunication system in accordance with telecommunication law. Having accessed my personal account [the hacker(s)] were able to access Toplum TV Facebook page, changing its name, [only] deleting archived videos of live debates with Popular Front and Musavat party leaders, and removing several thousand Page likes. Clearly, the reason behind what happened is political intervention. The absolute lack of tolerance to public debates on Toplum TV’s platform has reached such a level, that the perpetrators unafraid, have committed a criminal act prohibited by Articles 271, 272, and 273 of the Criminal Code. This compromise is an act of crime and a grave violation of freedom of speech, privacy, and security of personal data. I demand that serious investigation and preventive action be taken by relevant authorities working within the information security space.

Toplum TV encouraged its readers and followers in a tweet to support their page after hacking:

Translation: Toplum TV’s Facebook page was compromised and its name changed to their name “toplan”. To support independent media, like our Facebook page, and help restore deleted followers.

SMS interceptions are commonly used in Azerbaijan. Below, are a few excerpts from a recent report published by AIW in partnership with International Partnership for Human Rights on the topic: 

The interception of SMS exchanges remains an acute problem in Azerbaijan. In recent years, scores of political activists, journalists, rights defenders, and independent media platforms have had their social media accounts compromised. In many of these cases, those affected have had SMS notification enabled as two-step verification (2FA) procedure for accessing their Facebook accounts. As a result, when their accounts were compromised, they were unable to restore access to the accounts relying on traditional troubleshooting steps offered by social media platforms such as Facebook. Thus, they were unable to retrieve password reset codes sent by Facebook by SMS as their messages were intercepted by the operators, only to be passed on to the relevant government bodies. This experience shows that mobile companies have been involved in many of these attacks. However, none of the operators have taken the blame, so far. The earliest example of SMS surveillance goes back to 2009 when 43 Azerbaijanis voted for Armenia’s entry in the Eurovision Song Contest through votes cast by SMS. A number of these people were summoned and questioned by the security services. In an interview with Azadliq Radio (the Azerbaijani service of Radio Free Europe/Radio Liberty), one of these televoters, Rovshan Nasirli said that the authorities demanded an “explanation” for his vote and told him it was a “matter of national security”. He told the service: “They were trying to put psychological pressure on me, saying things like: ‘You have no sense of ethnic pride. How come you voted for Armenia?’ They made me write out an explanation, and then they let me go.” The authorities did not deny that they had identified and summoned people who voted for Armenia, and argued that they were merely trying to understand the motives of these people.

Three years after the Eurovision scandal, an investigative documentary aired on Swedish TV called ‘’Mission: Investigate” revealed how the Swedish telecommunications giant TeliaSonera, which at the time owned a majority stake of Azercell, allowed “black boxes” to be installed within their telecommunications networks in Azerbaijan from as early as 2008. These boxes enabled security services and police to monitor all network communication, including internet traffic and phone calls in real-time without any judicial oversight. The exposure of these black boxes explains the type of technology the government was deploying already at the time of Eurovision in 2009. The investigation aired by Swedish TV also confirmed that wiretaps were used as evidence in politically motivated cases.

In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. In a country where the government enjoys unprecedented control over the ICT industry and where some of the key players in the market such as mobile operators and ISPs are affiliated with the government or its officials, the findings of the investigation were not at all surprising. The 2014 investigation quoted the director of the Media Rights Institute, Rashid Hajili as saying that both mobile companies and ISPs were obliged to provide special facilities to the Ministry of National Security (MNS)91 for surveillance purposes in accordance with existing legal provisions as explained earlier. In the case of mobile companies, no court approval was sought to eavesdrop on the conversations and SMS exchanges of their customers – a common practice to this day. One of the first accounts of collaboration between mobile companies and the government is that of journalist Agil Khalil. In 2008, Khalil was working on a story about the alleged involvement of MNS employees in corrupt land deals. After taking photographs for the story, he was approached by MNS agents and beaten. The journalist escaped from his attackers and managed to take photos of them. Khalil filed a complaint with the police, and an investigation was opened but eventually dropped, without the perpetrators having been prosecuted or even identified. Soon after turning to the police, the journalist realized that he was being followed. When he filed another complaint with the police about the surveillance, police again failed to follow up. A few days later, Khalil was subjected to a new attack: this time, an unknown assailant stabbed and injured him. Khalil again turned to the police, accusing both the MNS and the mobile operator Azercell (whose services he was using ) of being responsible for the attack. He argued that the operator had helped the MNS to track down his whereabouts, thereby facilitating the attack. The involvement of Azercell in the case became more evident when the operator provided a local court, which examined the journalist’s complaint, with alleged SMS exchanges between Khalil and a man named Sergey Strekalin, who the MNS claimed was Khalil’s lover and had stabbed the journalist out of jealousy. When Khalil’s lawyer requested access to these SMS exchanges, Azercell refused, which called into question the authenticity of these messages. Khalil left Azerbaijan the same year after another attempted attack against him and the continued failure of the authorities to hold his assailants accountable. He took his case to the ECtHR, as a result of which the Azerbaijani government made a so-called unilateral declaration (an official admission) before this court in 2015 that it had violated Khalil’s right to life, freedom from ill-treatment, and freedom of expression and agreed to pay 28 000 EUR in compensation to him. As the government made this admission, there was no ECtHR ruling on the case.

In September, Toplum TV reported it lost 16k followers on its Facebook page. Facebook failed to explain how and why this took place. 

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike. 

in Azerbaijan a COVID tracing app draws much suspicion over privacy issues [updated]

In July, authorities in Azerbaijan released it’s very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues. 

e-Tebib is just one of the deluge of apps that have been unveiled in recent months by various governments, promising to detect COVID-19 exposure and not only. According to this detailed MIT review, some of these apps are “lightweight and temporary, while others are pervasive and invasive” like the Chinese version which attains access to user’s identity, location, online payment history “so that police can watch for those who break quarantine rules”. 

In Azerbaijan, the police were already on the watch, with a mandatory SMS mechanism that required citizens to receive permission slips via SMS before going outside.  So why ask citizens to install an app, that technically does nothing new or does it?

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Currently, the official data is available here and the numbers are updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27). It is unlikely the app will be providing real-time indicators when the main body in charge only shares the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly states that any information, obtained through the app, may not be precise, correct, or trusted. 

And yet, the app also claims to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claims it does not collect any personal data aside from user’s phone number the article 5.3 of the license agreement states, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collects users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location. Article 5.4 mentions the center sharing of this information with third parties. These third parties may analyze collected information including users’ browsing history [The center does claim that it does not allow third-parties, to use the obtained information for other purposes]. Article 5.5.1 states the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Article 5.6 states that users’ information may be shared with third parties in other countries for security purposes. Article 5.10 states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have accessed users’ information.

The application is developed by A2Z Advisors LLC and the app’s privacy policy is linked to the company’s website. The landing page, however, does not provide any information on the app’s privacy policy. When reached out for a comment, AIW was recommended to send an email which at the time of writing this post remains unanswered. Similarly, in the App Store for IOs when clicking on “App Support” tab, the page once again leads to A2Z company website but does not actually provide any information related to the App. Instead, the privacy policy is accessible via this link that a user can access only after downloading and launching the app. 

According to the app’s version history at App Store, the application was released a month ago. The latest “update” was done 2 days ago [July 7].

The app’s further transparency criticism comes from the fact that it is not an open-source code and its license belongs to the Ministry of Communication, Transportation, and High Technologies. 

The biggest concern – the location of the data storage; the duration of the data storage; and who has access to this data.    

In Azerbaijan however, other concerns have also been voiced – that the application is only available for native speakers and that ex-pats living in the country are unable to use the application. It is also not catered to people with disabilities. 

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib is not designed in accordance with national legislation on data privacy.

On July 10, following widespread privacy concerns and questions over the app’s transparency, changes were made to its terms of the agreement. Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without individual’s permission. The convention, on the other hand, refers to respect to privacy. 

The new license agreement now says that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Although this last point was later addressed by Fuad Niftaliyev – the head of the app development project. Niftaliyev explained that the third parties referred to in the agreement are: Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. According to Niftaliyev, the collected information is stored on the servers operated by the Ministry of Communication and Information. The last point is itself problematic, as the transparency of government institutions in Azerbaijan is problematic especially as surveillance technology is widely used by the ministries alike. 

For potential users of the app, this remains problematic, especially when there is no option “B” if one disagrees with terms of service.