Draft Law on Information Security and Associated Risks
The Parliament of Georgia is reviewing the draft law on Amendments to the Law on Information Security.
The ineffectiveness of the law adopted in 2012, as evidenced by recent high-profile cyber-attacks and modern challenges, have made it obvious that there is indeed a need for updating the cyber security legislation. However, we believe that the draft law: A) creates a system that does not ensure the effectiveness of information security at the state level; B) contains risk of a total control of the information systems and/or personal and commercial data contained in them; C) is against the norms of the Georgian Constitution and its international obligations.
A) Legislation and regulations are supposed to be driven from the objective of cyber security strategy, which in its turn should be designed to respond to the cyber security challenges Georgia is facing. We do not have an operational strategy in place and reviewing the draft law in the absence of a strategic framework may lead to poor implementation of both of them. This puts the security of the country's overall infrastructure at risk.
In accordance to the proposed changes, the State Security Service (SSSG) LEPL Operational-Technical Agency (OTA) will become the agency accumulating, on the one hand, the functions of a regulator: of being both an accrediting and executive body, and on the other hand, those of a control and supervision body.
Such a centralized and unbalanced system cannot be effective and improvement-oriented. Moreover, the State Security Service is a law enforcement agency that, for security purposes, has the explicit interest in having the maximum access to various information infrastructures and can easily satisfy this interest if empowered by legal mechanisms, specifically, the by-laws.
According to the draft law, the rights and responsibilities of the Data Exchange Agency (DEA) are unbalanced and incompatible. This carries a risk of rough and unjustified meddling in the management of information systems of private organizations. In addition, if banks will be considered as subjects of a critical information system, the Data Exchange Agency and the National Bank will function as two different bureaucracies with duplicated functions.
B) OTA will have direct access to the information systems of the legislative, executive or judicial authorities, individual public agencies, including the CEC, as well as the National Bank and the telecommunications sector, and thus, indirect access to the personal and commercial information contained in the systems.
The draft law creates the possibility of the processing personal data without a court warrant, while the ambiguity of the norms poses the real danger of the processing of personal data illegally and disproportionately. Therefore, the draft law contains risks of unjustified interference in and surveillance of private life.
C) The draft law does not comply with the Constitution of Georgia, as there is a danger of infringing on the inviolability of human privacy. Article 15 (2) and Article 18 (3) of the Constitution stipulate that the grounds for interfering with the right has to be determined by law, and not by a by-law, as is proposed by the draft law. It also should be noted that OTA's authority to oversee covert investigative activities, which, just like the draft law, allows for unjustified interference with private life has been contested in the constitutional court by hundreds of citizens.
It should be taken into consideration that the draft law does not comply with a number of principles of the European Directive “Concerning measures for a high common level of security of network and information systems” that is mandatory for Georgia under the Association Agreement with the European Union.
According to the explanatory note to the draft law, international law and practices have not been studied.
It is also noteworthy that the draft law was prepared and submitted to the Parliament in an expedited manner, without a broad public discussion and involvement of the stakeholders, including the State Inspector, and there is no public consensus on the proposed changes. The Committee on Human Rights and Civil Integration was not involved in the review of the draft law in the Parliament.
We believe that a management model should be developed that would ensure the transparency and effectiveness of the information security system; for these purposes, it is essential to:
- Involve all stakeholders in the process of drafting the amendments to the Law of Georgia on Information Security and keep the process open
- Harmonize the draft law with the State Information Security Strategy and Action Plan
- Study the experience of European countries in order to adapt best practices to the reality of Georgia
We urge the Chairperson of the Parliament to hold a public meeting with the involvement of the representatives of the relevant Parliamentary Committees, experts in the field and the non-governmental sector, to discuss in detail the problems associated with the proposed draft law.
Institute for Development of Freedom of Information (IDFI)
Georgian Association of Information Security
Media Development Fund (MDF)
Small and Medium Telecom Operators Association of Georgia
Georgian Research and Education Networking Association (GRENA)
Human Rights Education and Monitoring Canter (EMC)
Georgian Young Lawyers Association (GYLA)
Open Society Georgia Foundation (OSGF)
Transparency International Georgia (TI)
Alliance of Broadcasters -Georgia
Liberal Academy Tbilisi