authorities in Azerbaijan are considering law on social media – critics say

A recent conference organized by the Prosecutor General’s office in Baku on the recent violations of media legislation has raised eyebrows among civil society. On August 10, an event, titled, “Freedom of the Media and Information Security of Society under the Increasing Influence of Social Networks,” was held at the General Prosecutor’s Office.  Among the guests were representatives of pro-government and government media, as well as GONGOs. According to reporting by Turan News Agency, representatives of independent media or independent media experts were not invited and those who did attempt to attend the event were kicked out, violating Articles 25 and 5o of the Constitution. 

During the event, Prosecutor General Kamran Aliyev said the Prosecutor’s Office was determined to continue taking measures against published content in the media as well as on social networks deemed harmful to national security, not corresponding to reality, and/or identified as violating the rights of citizens.

A number of citizens have received warnings over their social media posts in recent weeks. In a statement published on July 30, the General Prosecutor’s Office said it has warned seven other users over their public posts shared on social media. The Prosecutor’s Office in a statement said the users were warned after the Prosecutor’s Office identified a violation of the Law on Media. Specifically, the statement said, 

During monitoring, it was identified that during the publication of news in media, provisions of Article 14.1.11 of the Law on Media were not observed [Facts and events must be presented impartially and objectively, and one-sidedness must not be allowed]. 

In order to prevent cases of violation of socio-political stability, human and citizen rights and freedoms, a number of relevant persons were invited to the Prosecutor General’s Office and the prosecutor took measures. 

As such, Sakhavat Mammadov, Rovshan Mammadov, Zulfugar Alasgarov, Elgun Rahimov, Fuzuli Kahramani, Zeynal Bakhshiyev and Ruslan Izzetli received a warning based on Article 22 of the Law on Prosecutor – to avoid cimilar negative incidents from taking place again.

The General Prosecutor’s Office repeats, in its appeal to media and social network users, that dissemination of unverified information that lacks clarificaition from the state institutions is unacceptable and holds one accountable according to existing legislation. 

Among those in attendance, was the head of the Press Council, Aflatun Amashov, who proposed to set up a commission in partnership with the Prosecutor’s Office that would regulate the media. For what purpose remains unclear, especially when there is no legislation in Azerbaijan that gives the prosecutor’s office authority to engage on issues of media ethics, media professionalism, or content regulation. 

In May 2022, AIW published a legal analysis about content regulation in Azerbaijan. At the time, an uptick in cases in which social media users faced punitive measures by the Prosecutor’s General Office for their online activism indicated that the Office has taken on a temporary role of taking measures against activists, journalists, and media within the scope of laws on information and media. But continuing involvement of the Office in handing out fines and warnings may indicate that in addition to punitive measures, there is a plan to introduce legal measures on social media platforms. 

Khalid Aghaliyev, a media law expert, told Meydan TV in an interview that the most recent discussions are a sign that the state is mulling over creating a law to regulate social media platforms. Aghaliyev also criticized the proposal of the Press Council to set up a commission. Nowhere in the world, there are institutions set up to regulate media. “These issues are regulated by independent journalists’ unions and their recommendations. But in Azerbaijan, independent journalism and media are problematic. They must be free, in the first place to get used to regulating themselves,” explained Aghaliyev.

Similarly, the head of Azerbaijan Internet Forum, Osman Gunduz, in a Facebook post said, the event organized by the Prosecutor’s Office sets a dangerous precedent. “Such steps create risks for the freedom of the Internet, the development of social media, and freedom of expression in general,” wrote Gunduz. 

Another media law expert, Alasgar Mammadli, writing in a Facebook post, criticized both the Press Council and the newly created MEDIA agency for failing to speak up at the event. After all, each of these institutions is responsible for reforms in the media, wrote Mammadli, and yet they could not say, “Dear Prosecutor’s Office, the functions in this area have been entrusted to me by presidential decree, do not interfere,” wrote Mammadli. 

Azerbaijan renames main Internet regulator [update May 24]

On October 11, the main internet regulator in Azerbaijan – the Ministry for Transport, Communication and High Technologies – was renamed the Ministry of Digital Development and Transport. The move comes following the signing of a Presidential Order that includes “improving management in the field of digitalization, innovation, high technology and communication in Azerbaijan,” according to ABC.az reporting. 

The decree also orders the setting up of the following departments within the rebranded ministry: 

  • The Agency for Information Communication Technologies; 
  • Innovation and Digital Development Agency (which will now combine, National Nuclear Research Center, Innovation Agency, and High Technologies Research Center);

Under its responsibilities, the Agency for Information Communication Technologies will:

  • carry out certification, accounting, control, and regulation of information communication technologies (including quality control) – this means that the new agency will act as the main internet regulator from now on; 

Experts say, the newly set up internet regulator, is unlikely to act independently. Human rights lawyer, Emin Abbasov said, “For many years, regulation in this sector [ICT] belonged to the Ministry [of Transport, Communication, and High Technologies]. And it has been a long-awaited move to set up an independent internet regulatory body. However, the new agency is unlikely to act independently as its head will be appointed by the Minister of Digital Development and Transport.”

Similarly, commenting on the decision, the President of Azerbaijan Internet Forum, Osman Gunduz said while it is a good sign that there is a new agency, its autonomy from its predecessor is yet to be seen. “For many years, the Ministry was the regulator. Basically, the ministry was regulating the ICT market, in which it also had stakes. There was a department within the ministry responsible for regulations and for decades this department favored government operators by creating favorable conditions for them. So it is a positive step that there is now a separate agency. What is interesting however is that according to the order, the head of the Agency will be appointed by the Minister [of Digital Development and Transport]. It would have been better if it was the President. Because it is unlikely that the Agency is going to have it easy regulating a deeply embedded tradition and creating equal conditions for both state and private companies. The question we should be asking is whether the leadership of the agency will have the authority and say in regulating the state operator in accordance with the new rules and procedures? And whether yet again, state companies will hold an upper hand in the market?  

In Azerbaijan, the ICT market is fairly concentrated in the hands of the government – in terms of control, and regulation as well as services – namely the Ministry of Transport, Communication, and High Technologies. In 2016, the President approved a Strategic Roadmap for Telecommunication and Information Technology Development. According to item seven, titled “strategic goals,” the document called for setting up an independent regulatory body by 2020.

On May 24, according to changes to a presidential decree dated January 12, 2018, the Ministry’s name was changed once again to the Ministry of Digital Development and Transport.

Legal analysis of a COVID tracing app released last year in Azerbaijan

This is part three in a series of detailed legal reports and analyses on existing legal amendments, and new legislation affecting privacy, freedom of expression, media, and online rights in Azerbaijan and their compliance with international standards for freedom of expression.  

In July, of last year, authorities in Azerbaijan released their very own COVID tracing tracker application. Launched by Tebib (Azerbaijan Administration of Regional Medical Division) the app was quick to draw attention, especially over its privacy issues.

The mobile app is operated by the Data Processing Center (DPC), which is the main structure of the information technologies of the Ministry of Transport, Communications, and High Technologies. According to the app’s version history at App Store, the application “update” was done on 27 May 2021. 

e-Tebib is just one of the deluge of apps unveiled during the height of the COVID-19 pandemic by various governments, promising to detect COVID-19 exposure and not only.

Below, we break down the pervasiveness of the app having analyzed existing national and international legislation.

Features and concerns

According to the app’s description, “E-Tebib is designed to inform users in real-time about the number of patients (both sick and recovered) in Azerbaijan.” Since the start of the pandemic, the official data for Azerbaijan on the number of infected patients and recoveries were made available here and the numbers were updated once a day – based on the numbers reported by the Operational Headquarters set up under the Cabinet of Ministers of the Republic of Azerbaijan (the unit was established on February 27, 2020). Already from the start, it was unlikely the app was going to provide real-time indicators when the main body in charge only shared the information once a day. 

In addition, article 4.4 in the user agreement of the app, explicitly said that any information, obtained through the app, may not be precise, correct, or trusted. And yet, the app also claimed to reduce the number of infected patients by informing users of potential COVID infected patients around them via Bluetooth technology. 

Although the app claimed it did not collect any personal data aside from the user’s phone number the article 5.3 of the license agreement stated, the center [the Ministry of Communication, Transportation and High Technologies who owns the app’s license] collected users’ names, last names, phone numbers, social media accounts, emails, national ID numbers, and location.

Article 5.1 mentioned the center was sharing this information with third parties. These third parties were allowed to analyze collected information including users’ browsing history [The center did claim that it did not allow third parties, to use the obtained information for other purposes]. Article 5.5.1 stated the center may share users’ information with government bodies and/or representatives’ legal requests; court orders; or under any other legal condition. Furthermore, article 5.6 stated that users’ information may be shared with third parties in other countries for security purposes.

What the law says

According to Article 5.1 of the Law on Personal Data personal information is protected from the moment it is collected and for this purpose, it is divided into confidential and public categories according to the type of access. Article 5.2 of the Law on Personal Data stipulates that confidential personal data must be protected by the owner, operator, and users who have access to this information on a level required by law. Confidential personal information may be disclosed to third parties only with the consent of the subject, except as provided by law. Article 5.3 of the Law on Personal Data defines open personal data as information anonymously duly declared, made public by the subject, or entered into the information system with the consent of the subject. The person’s name, surname, and patronymic are permanently open personal information.

The terms of the agreement [of the app] on sharing private information with the third parties are vaguely regulated and open to wide interpretation for unlawful transmission of the private information with third parties.

Furthermore, article 5.5.1 of the app’s agreement that states information might be shared upon the government representatives’ legal requests are problematic from the human rights perspective. It fails to specify on which grounds and under what conditions the state authorities might request the private information which is necessary for terms of procedural fairness and safeguards against arbitrariness.

Where personal information is stored for the interest of the protection of health, there should be adequate and effective guarantees against abuse by the state. The law in question, which allows the storing of such information, must indicate with sufficient clarity the scope and conditions of exercise of the authorities’ discretionary power. These standards to some extent are also backed in Article 11.2.2 of the Law on Personal Data which states that when collecting personal data, the owner or operator must notify the subject about the purpose of personal data that is being processed and the legal grounds of this purpose.

In other words, it is not clear whether any state authority can have access to private information simply upon requesting it without legal justification. This is also a requirement of the Law “About operational search activities” as per Article 10. Thus, Article 10 of the Law states that the extraction of information from technical communication channels and other technical means is carried out on the basis of the decision of the court [judge].

Article 5.10., of the app’s user agreement states that all user-related data is kept for a month. But it fails to explain whether the same expiry date applies to “third parties” that may have access[ed] [to the] users’ information. This is contrary to Article 8.2., of the Law on Personal Data. Law on Personal Data requires that for the purpose of collecting and processing of personal data (specifically Article 8.2.3.,) and conditions of destruction or archiving of personal data collected in the relevant information system after the expiration of the period of storage or after the death of the subject in the manner prescribed by law must include a written consent for the processing of the subject’s personal data.

Such vagueness is also contrary to the ECtHR’s well-established case law. In Aycaguer v. France case, the ECtHR ruled, there was a violation of Article 8 (right to respect for private life) of the Convention by “determining the duration of storage of […] personal data depending on the purpose of the file stored […]”. The Court noted that, to date, no appropriate action was taken on that reservation and that there was currently no provision for differentiating the period of storage. The Court also ruled that the regulations on the storage of DNA profiles did not provide the data subjects with sufficient protection, owing to its duration and the fact that the data could not be deleted. The regulations, therefore, failed to strike a fair balance between the competing public and private interests.

Another concern was that the application was developed by A2Z Advisors LLC and the app’s privacy policy was linked to the company’s website. The landing page of A2Z Advisors LLC, however, did not provide any information on the app’s privacy policy. At the time when the app was launched, AIW reached out for comment via email as per A2Z’s recommendation but never received a response.

Similarly, in the App Store for IOs when clicking on the “App Support” tab, the page once again led to the A2Z company website and once again failed to provide any information related to the App. Instead, the privacy policy was accessible via this link that a user had access to but only after downloading and launching the app. This in itself was contrary to the several articles of the Law on Personal Data.

According to Article 11 of the law, it is required, when collecting personal data, that the owner or operator, notifies the subject about the level of protection of personal data collected and processed in the information system [11.2.3.]; the information on the existence of a certificate of conformity of information systems and state examination [11.2.4.]; and the scope of the intended uses of personal data, including the information system for which the information is to be exchanged [11.2.5.]. However, no such information was provided in the app’s agreement.

The app was also not an open-source code and was licensed under the Ministry of Communication, Transportation, and High Technologies. This is contrary to the requirement [Article 6.22.,] of the Resolution of the Cabinet of Ministers about “Requirements on creation and management of Internet information resources of state bodies”, which requires that open source content management systems should not be used in internet information resources.

FaktYoxla, a fact-checking platform in Azerbaijan concluded after a detailed legal analysis over the license agreement that e-Tebib was not designed in accordance with the national legislation on data privacy. The fact-checking platform, having analyzed the respective case-law of the European Court, the EU Data Protection Directive, and the Council of Europe Treaty 108, concluded that the e-Tebib application contradicted the obligations imposed by international standards.

On July 10, 2020, following widespread privacy concerns and questions over the app’s transparency, changes were made to the terms of the agreement.

Originally users’ information was transferred to third parties, which were not explicitly defined in the agreement. At the time, independent experts and lawyers said this was against Article 32 of Azerbaijan’s state constitution and in violation of Article 8 of the European Convention on Human Rights.  Azerbaijan’s constitution, namely, Article 8, stipulates that no one has a right to collect personal information without an individual’s permission. The convention, on the other hand, refers to respect for privacy. 

***In Copland v. the United Kingdom case (no. 62617/00, ECHR 2007-I), the Court found that it was irrelevant that the data held by the college where the applicant worked was not disclosed or used against her in disciplinary or other proceedings. Just storing the data amounted to an interference with private life.

The updated license agreement said that only under necessary circumstances, and within the normative legal framework personal information may be transferred to third parties. The revised agreement, still, fails to explicitly mention the precise list of institutions considered under third parties.

Fuad Niftaliyev – the head of the app development project later explained that the third parties referred to in the agreement are the Ministry of Health, Tebib, and the Operational Headquarters [set up under the Cabinet of Ministers of the Republic of Azerbaijan]. Niftaliyev clarified that the collected information was stored on the servers operated by the Ministry of Communication and Information, however that too was problematic, given the questionable transparency of the government institutions in Azerbaijan especially as surveillance technology is widely used by the ministries alike.