Nine threats to your personal life stemming from the new legislation on secret wiretapping
At the end of November, 2014, the Parliament adopted amendments known as the Beselia-Popkhadze-Sesiashvili legislative package. According to the opinion of the civil society, these amendments drastically worsen the legislation on human rights protection, and create risks of unjustified government interference in citizens’ private lives. For these reasons, the president initially vetoed these amendments, but the parliament overcame the presidential veto the very next day.
Below we offer a description of the new circumstances and concrete threats created by amendments in the legislation on secret wiretapping
1. Ministry of Internal Affairs retains technical means – the lawful interception management system, so-called black boxes – enabling it to receive telecom data in real time.
This is the most serious problem, for which the civil campaign “This affects you too - we are still wiretapped” was initiated. The direct access of law enforcement agencies to the communication data creates unjustified risk of interference in citizens’ private lives, since technically these agencies can conduct wiretapping without special permission.
The legislative package adopted on November 30, 2014 envisions for the MIA to retain the so-called black boxes (the lawful interception management system), which ensure the direct access to telephone conversations and the content of communications transmitted over the Internet. The existence of the aforementioned system allows the MIA to intercept and store telecommunications data in real time, without any oversight.
This contradicts with the recommendations brought forward by the experts of the Council of Europe on several occasions: direct and constant access to the telecommunications data (both identifying information and information containing content) by the MIA was not restricted.
2. Personal Data Protection Inspector becomes a participant in secret investigations.
According to the changes to the Law on Protection of Personal Data, from the technical point of view, the process of the secret tapping and recording of telephone conversations shall be carried out by the means of a two-stage electronic system which required consents from the MIA and the Personal Data Protection Inspector (Paragraph 31, Article 3 of the Code of Criminal Procedure). According to Sub-Paragraph “a”, Paragraph 1, Article 351 of the Law on the Protection of Personal Data, the Personal Data Protection Inspector shall give his/her electronic consent to begin tapping and recording of a telephone conversation at the time of a secret investigation.
Personal Data Protection Inspector’s office is the only state agency in Georgia responsible for protection of personal data. Accordingly, after Inspector gets directly involved in the technical and legal implementation of interception and tapping, the system will be left without any external oversight mechanism.
3. Internet remains without the two-stage consent system.
The two-stage electronic consent system does not extend to obtaining data transmitted through the Internet (Paragraphs 1 and 2, Article 351 of the Law on the Protection of Personal Data).
MIA retains the right to intercept and record unlimited amounts of information transmitted through Internet providers without any external oversight mechanism.
In this case, Personal Data Protection Inspector carries out the inspection only by comparing information provided by the court, the Prosecutor’s Office and an electronic communications service provider and by verifying the legality of processing of data by a data processor/authorized person.
Such oversight system has a formal character because the MIA begins obtaining information from Internet providers without any external control. While carrying out the inspection, the Inspector relies on the good faith of the law enforcement body to provide accurate information. It is also unclear what information an electronic communications service provider is supposed to provide the Inspector with, whereas under the existing system the company does not receive a court ruling and, accordingly, it does not know what type and amount of the information the MIA obtains from its networks.
We believe it is necessary to implement the same standard in case of telephone and Internet communications as the same types of information, including private information, is being transmitted by citizens via both means.
4. The law is unclear about whether the system of the so-called two keys applies in case of an emergency.
The Law on the Protection of Personal Data and the Code of Criminal Procedure do not include a clear procedure according to which secret tapping and recording of a person on the basis of a prosecutor’s motion may only be carried out if the so-called two-stage consent is put into action.
The proposed version of the draft law envisioned that a prosecutor’s motion must be handed to the Personal Data Protection Inspector within 24 hours after it was made. Upon request of civil society organisations, the draft was amended to state that a prosecutor’s motion must be handed to the Inspector immediately. Despite this, the law does not specify a procedure for the secret investigation to begin only after the Personal Data Inspector issues his/her consent electronically. Such formulation of the law allows for an interpretation of the law in a way that creates risks of abuse of authority.
5. The Personal Data Protection Inspector will be checking MIA by means of a software created by MIA.
According to Article 551 (Transitional Provisions) of the Law on the Protection of Personal Data that was adopted on November 30, 2014, the Personal Data Protection Inspector and the Inspector’s Office will not take part in the creation of the software which is necessary for the functioning of the special electronic system.
The software will be created by the MIA. Accordingly, the MIA will create a system by which it will be controlled. This fact certainly contains a considerable risk that the software will be programmed in a way which will make it possible to obtain information bypassing the means of control.
6. The MIA has the right to copy data banks of unlimited amount and with content unspecified by law from electronic communications companies without a court’s permission
The passage of the so-called secret surveillance legislative package and recording on August 1, 2014, repealed Sub-Paragraph "g", Article 14 of the Law of Georgia on Operative Investigative Activity according to which the bodies authorized to carry out operative investigative activity, taking into account technical expedience, could copy data banks existing in communication channels. A norm with the corresponding content was included in the Law on Electronic Communications as a transitional provision and November 1 was determined as the date of its expiration (which the Parliament later changed to December 1).
As a result of the law passed on November 30, a norm with the same content as Sub-Paragraph "g", Article 14 of the Law on Operative Investigative Activity which had been repealed, was included in Sub-Paragraph "b" of Part 1 of Article 83 of the Law on Electronic Communications. Accordingly, the MIA now has the right to copy data banks without judge’s ruling.
While Sub-Paragraph “b” of Part 1 of Article 1431 specifies that a judge’s ruling or a prosecutor’s motion is needed for conducting investigative activity, Sub-Paragraph "b" of Part 1 of Article 83 of the Law on Electronic Communications explains the stage at which the judge’s ruling is necessary:
After obtaining the information in real time, an authorized agency shall undertake measures directly, based on a court ruling or prosecutor's motivated resolution.
Therefore, the MIA is authorized to copy data banks without judge’s ruling or prosecutor’s motion. A judge’s ruling is only necessary for using the data. We are still left with the hope that the MIA will act in good faith and will not use the data banks without a judge’s ruling.
7. The law no longer determines which identifying data the MIA is authorized to copy and store.
Paragraph 3, Article 8 of the Law on Electronic Communications that was passed on August 1, 2014 used to determine which identifying data must be stored by the electronic communication companies. The detailed list provided a guarantee that the information which was useless for the purposes of solving a crime would not be obtained and stored. It was also noted that the data did not imply the content of communications which was supposed to be deleted immediately.
As a result of the law passed on November 30, 2014, the obligation to store the so-called identifying data moved to the MIA (Article 83, section 1 (B) of the Law on Electronic Communications), and the concept of identifying data of electronic communications was defined by Paragraph z.g.62, Article 1 of the Law on Electronic Communications. The concept no longer includes the detailed list the August 1, 2014 amendment provided. The generalized and vague concept poses a great risk that the MIA will abuse its authority to obtain and store data that is not necessary for the purposes of legal proceedings.
8. Electronic communications companies are no longer obliged to register data obtained as a result of a secret investigative action.
According to the Law on Electronic Communications (Article 82) that was adopted on August 1, 2014, the electronic communications companies shall register the facts of transmission of data identifying electronic communication to the relevant state authorities and shall provide relevant information to the Personal Data Protection Inspector except for the cases when the transmission was not made by using the technical means of transferring information in real time.
As a result of the Law on Electronic Communications (Article 82) adopted on November 30, 2014, the electronic communications companies are now free from this obligation and they are only obliged to register the information that was transferred with the procedure established by Articles 112 and 136 of the Code of Criminal Procedure and to notify it to the Personal Data Protection Inspector. Articles 112 and 136 only concern the research, recovery and request of the information from the computer system. Accordingly, the information transferred as a result of a secret investigative action is no longer registered and notified to the Personal Data Protection Inspector.
9. All information about the secret investigative actions, including their results, becomes a state secret.
According to the Law on State Secrets (Sub-Paragraph “a”, Paragraph 4, Article 7) that was adopted on November 30, 2014, information about plans, organizing, logistics, forms, methods, and results of intelligence, counter-intelligence, operative activities and secret investigative actions, concrete measures, as well as funding of specific programs becomes a state secret. According to Article 41310 of the Code of Criminal Procedure that was adopted on August 1, 2014, the Supreme Court of Georgia is obliged to compile a register of the secret investigative actions which reflects statistical information related to the secret investigative actions, specifically, the information about motions submitted to courts in relation to the conduct of the secret investigative actions and about the court rulings on them, as well as information about the destruction of materials obtained as a result of the operative investigative measures which were not related to a person’s criminal activity but contained the information about his/her or another person’s private life and were destroyed in accordance with Paragraph 4, Article 6 of the Law of Georgia on Operative Investigative Activity.
Statistical information about the results of the secret investigative actions must be published in the registry of secret investigative actions. Under the law adopted on November 30, 2014 the publication of these results comes under question, because there is a special procedure for declassification of state secrets.
Despite of the demand of civil society organizations, it was not written in the Law on State Secrets that, as an exception, it is possible not to deem the statistical data on the investigative actions as a state secret.
There is also a significant risk that the data obtained as a result of a secret investigative action may not be disclosed to the defense side of a trial, because these data constitute a state secret.