CONCLUSION
On the draft law of the Kyrgyz Republic
On biometric registration of citizens of the Kyrgyz Republic
Having reviewed the draft Law of the Kyrgyz Republic On Biometric Registration of Citizens of the Kyrgyz Republic (hereinafter the draft law / draft law), the Public Foundation Civic Initiative Internet Policies (hereinafter referred to as PF CIIP) notes that this draft law contains legal shortcomings that create the opportunity for ambiguous interpretation of some of the provisions contained in it, which in practice may lead to an arbitrary interpretation and inadequate application of this draft legislation and, as a result, to unreasonable restriction of the rights and freedoms of a person and citizen. The draft law does not comply with the Constitution of the Kyrgyz Republic, the Civil Code of the Kyrgyz Republic, the Law of the Kyrgyz Republic On Personal Information dated April 14, 2008 N 58, international standards in the field of personal data protection.
MAIN CONCLUSIONS:
1) One of the main gaps and shortcomings of the draft law is the unjustified non-assignment of biometric data to personal information / personal data. Whereas, according to the legislation of the Kyrgyz Republic, the biometric data of citizens is personal data. And, therefore, they should be subject to all the guarantees and principles that are laid down in the Constitution and the legislation of the Kyrgyz Republic on privacy and the right to self-determination in relation to their personal data.
The basic principles that are enshrined in the Constitution, the Civil Code, the legislation of the Kyrgyz Republic in relation to personal data of citizens – the right of citizens to the integrity and protection of private (personal) life, personal data are confidential information, in relation to personal data, the principle of self-determination.
Thus, international standards in the field of personal data protection and the legislation of the Kyrgyz Republic unequivocally establish that only a personal data subject has the right to independently decide whether or not to provide his personal data to someone, he has the right to refuse to provide it without giving a reason, and has the right to demand blocking and destructing his personal data. Thus, it is an inalienable right of the subject of personal data, guaranteed by the Constitution and not subject to any restrictions.
Taking into account the above provisions of the legislation of the Kyrgyz Republic, no legislative act2 can impose a duty on citizens to provide their personal data on a mandatory basis, no state body has the right to require mandatory submission of his/her personal data.
2) It is doubtful whether one of the tasks that the draft law is intended to solve is “reachable:“ compiling an updated voter list ”3. As mentioned above, whether or not to submit personal data is the right of each subject. Consequently, any citizen who has a passive electoral right has the right to refuse to submit his biometric personal data without giving reasons. This means that the task of forming a voter list based on citizens’ biometric data may not be solved.
Moreover, according to the Constitution of the Kyrgyz Republic, “to elect and be elected” is the constitutional right of citizens 4, and not an obligation; “Elections are free” 5. Hence it is not clear whether citizens who have not submitted their biometric personal data will be admitted to the elections, and if not, on what grounds will this prohibition apply? And further, if to participate in the elections is the right of a citizen, on what basis to submit their biometric personal data for the formation of the list of voters referred by the bill to the duties.
3) Practically in all countries of the world, the collection of biometric personal data of citizens is carried out with one purpose – for the introduction of a new generation of passports and exit / entry documents.
It should be noted that in 2002, 118 countries of the world signed, under the auspices of the ICAO, the New Orleans Agreement “Doc 9303. Machine Readable Travel Documents. Part 1 Machine Readable Passports. Volume 2. Specifications for electronic passports with biometric identification means”, which recognizes face biometrics as the basis for identification for the next generation of passports and entry visas.
That is, biometric personal data can in essence be collected mainly for the purpose of creating foreign passports and entry visas with the obligatory confidentiality of such data and all legal requirements in the field of privacy.
Ukraine6, the Russian Federation7, Turkmenistan8, Moldova9 and other countries chose this path.
This takes into account the phasing (gradual replacement of old passports with passports of a new generation) and voluntariness (self-determination of citizens in relation to their personal data).
4) The “Biometric Database of Citizens” united in one place, which “is owned by the Government of the Kyrgyz Republic ”10, in principle, cannot be created, because:
– The formation of consolidated personal data files received by state authorities or local authorities from various state holders (owners) of personal data is not allowed11.
– It is not allowed to combine arrays of personal data collected by holders (owners) for different purposes for automated information processing 12.
5) Before proceeding with the collection of biometric personal data of citizens, the Government of the Kyrgyz Republic must implement the following measures provided for by the Law on Personal Data Protection:
– arrays of personal data;
– holders (owners) of these arrays;
– create a Register of holders of personal data (fixing the information provided for by Article 30 of the Law on the Protection of Personal Data).
In more detail about all the legal shortcomings of the bill the analysis is given below.
ANALYSIS OF BASIC PROVISIONS OF THE LAW:
1)The law unreasonably does not include biometric data to personal information / personal data. The definition of “personal data” given in the draft law does not comply with the Law of the Kyrgyz Republic “On Personal Information” (hereinafter – the Law on Personal Data).
Thus, according to Article 3 of the above Law, “Personal information (personal data) is recorded information on a material carrier about a specific person or which can be identified with a specific person, allowing to identify this person directly or indirectly, by reference on one or more factors specific to its biological, economic, cultural, civil or social identity. Personal data includes biographical and identification data, personal characteristics, information about marital status, financial status, health, etc. ”.
Thus, according to the legislation of the Kyrgyz Republic, biometric data of citizens are personal data. A similar approach (the assignment of biometric data to personal data) is used in international practice, the legislation of other states (including Russia, Kazakhstan, Lithuania, Ukraine, European states).
Thus, in our opinion, in the definition of “biometric data” it is necessary to indicate that “biometric data is personal data (hereinafter referred to as the text)”.
The definition of personal data given in the draft law must be either deleted or given in accordance with the definition contained in the Law on Personal Data (in Article 3).
2)It is doubtful whether the following provisions are included in the draft law:
– “The collection and use of biometric data of citizens of the Kyrgyz Republic is based on the principles of mandatory biometric registration;” 13;
– “In addition to biometric data of citizens of the Kyrgyz Republic, as well as personal data of a citizen of the Kyrgyz Republic are also subject to compulsory collecting, storing and processing.” 14;
– “The Government of the Kyrgyz Republic determines the list of personal data of citizens of the Kyrgyz Republic to be compiled on a mandatory basis.” 15;
According to international standards in the field of personal data protection, personal data must be obtained and used in a conscientious and lawful manner, which implies, above all, the consent of the subject, that is, the realization of the right to informational self-determination. Every person is guaranteed the right to self-determination in the use, transfer and disclosure of his personal data. International generally accepted standards in the field of personal data protection require the maximum human right to self-determination in relation to their personal data, which, at least, theoretically gives a person the ability to defend his rights to protect his data in any form of processing.
The need to protect personal data is based on one of the fundamental human rights – protection against interference with privacy. Article 12 of the Universal Declaration of Human Rights (adopted and proclaimed by General Assembly resolution 217 A (III) of December 10, 1948) states: “No one may be subjected to arbitrary interference with his personal and family life, arbitrary attacks on the integrity of his home, his secret correspondence or on his honor and reputation. Everyone has the right to the protection of the law against such interference or such attacks. ”
The failure to guarantee the right to protection of personal data jeopardizes other related rights and freedoms, including freedom of expression, freedom of peaceful assembly, freedom of access to information, the principle of non-discrimination, and ultimately the stability of constitutional democratic principles. Therefore, in Article 17 of the International Covenant on Civil and Political Rights (ICCPR, New York, December 19, 1966) this formulation was expanded in terms of unlawful interventions and harassment and sounds like: “No one may be subjected to arbitrary interference with his personal and family life, arbitrary attacks on the integrity of his home, his secret correspondence or on his honor and reputation. Everyone has the right to the protection of the law against such interference or such attacks ”
According to the Constitution of the Kyrgyz Republic, “The Constitution has the highest legal force and direct effect in the Kyrgyz Republic. International treaties that have entered into force in accordance with the procedure established by law, to which the Kyrgyz Republic is a party, as well as generally recognized principles and norms of international law are an integral part of the legal system of the Kyrgyz Republic. The norms of international human rights treaties have direct effect and priority over the norms of other international treaties. ”16. “Human rights and freedoms are inalienable and belong to everyone from birth. Human rights and freedoms are the highest value. They act directly, determine the meaning and content of the activities of the legislative, executive authorities and local governments. ”17. “In the Kyrgyz Republic, no laws that repeal or diminish the rights and freedoms of a person and citizen should be enacted.” 18. “The law cannot establish restrictions on rights and freedoms for other purposes and to a greater extent than is provided by the Constitution.” 19. “Everyone has the right to privacy …” 20. “It is not allowed to collect, store, use and disseminate confidential information, information about the private life of a person without his consent, except as required by law. Everyone is guaranteed protection, including judicial protection, from unlawful collection, storage, dissemination of confidential information and information about a person’s private life, and also guarantees the right to compensation for material and moral damage caused by unlawful actions. ”21.
According to the Personal Data Protection Act, “The personal data subject shall independently decide whether to provide anyone with any of his personal data, with the exception of cases provided for in Article 15 of this Law.” 22. “The subject of personal data in case of refusal to provide its data has the right not to indicate the reasons for its refusal.23”.
Moreover, according to the Personal Data Protection Act, “In the event that the subject of personal data reveals their inaccuracy or disputes the lawfulness of actions in relation to his personal data, he is entitled to require the holder (owner) to block this data.” 24. “If it is established that the collection of personal data is unlawful, the holder (owner) is obliged to destroy the relevant data immediately after such establishment and notify the subject of the personal data in writing.” 25.
Thus, international standards in the field of personal data protection and the legislation of the Kyrgyz Republic unequivocally establish that only a personal data subject has the right to independently decide whether or not to provide his personal data to someone, he has the right to refuse to provide it without giving a reason, and has the right to demand blocking and destruction of his personal data. Thus, it is an inalienable, guaranteed by the Constitution and is not subject to any restrictions, the right of the subject of personal data.
Taking into account the above provisions of the legislation of the Kyrgyz Republic, no legislative act may impose a duty on citizens to provide their personal data on a mandatory basis, no state body has the right to require mandatory submission of its personal data. Therefore, the provisions established by Articles 4, 5 of the draft law (in terms of the mandatory biometric registration, mandatory delivery of personal data) are subject to exclusion from the draft law.
3)The provisions of the draft law on the authorized body in the field of biometric registration are also inconsistent with the legislation of the Kyrgyz Republic in the field of personal data protection.
Thus, according to the draft law under consideration, “The authorized state body in the field of biometric registration is a state body authorized by the Government of the Kyrgyz Republic to perform the functions of collecting, storing, using, processing, updating and protecting the base of biometric, personal and other data of citizens of the Kyrgyz Republic. ”26. And further: “Biometric registration of citizens of the Kyrgyz Republic residing in the territory of the Kyrgyz Republic is carried out by the authorized state body in the manner determined by the Government of the Kyrgyz Republic” 27; “The biometric data of citizens of the Kyrgyz Republic is transmitted in the established manner to data processing centers of the authorized state body” 28; “The holder of a biometric database of citizens of the Kyrgyz Republic is determined by the Government” 29.
These provisions of the draft law directly contradict the provisions of the Law on Protective Personal Data.
Thus, “Holder of the personal data array – state authorities, local governments and legal entities entrusted with the authority to define goals, categories of personal data and control the collection, storage, processing and use of personal data in accordance with this Law.” 30. “State authorities, local governments that work with personal data arrays in accordance with this Law and other regulatory legal acts of the Kyrgyz Republic have the right to act as holders (owners) of personal data” 31.
That is, the holders of personal data arrays can be the relevant state authorities, local self-government bodies and even legal entities at whose disposal may be personal data of citizens and who process personal data – “any operation or set of operations performed regardless of the ways the holder (owner) personal data or on his instructions, with or without automatic means, for the purpose of collecting, recording, storing, updating, grouping, blocking, erasing and destroying personal data. ”32.“ State authorities and local governments in their activities can use personal data held by other holders (holders) of personal data ”33.
At the same time, it is the responsibility of the Government of the Kyrgyz Republic 34 to determine the authorized state body — the state body entrusted with the functions of registering holders of an array of personal data, maintaining the Register of holders of an array of personal data and other tasks stipulated by this Law, 35, as well as maintaining and the registration of arrays of personal data and their holders (owners) “36.
Thus, the authorized body must perform the functions of registering holders (holders) of an array of personal data, maintaining the register of holders, and the definition of an “authorized body” contained in the draft law contradicts the specified requirements.
Moreover, according to the Law on the protection of personal data and international standards in this area, one body cannot perform the functions of “collecting, storing, using, processing, updating and protecting the base of biometric, personal and other citizens’ data” (all these actions in the Law on the protection of personal data combined into one definition – “personal data processing”), biometric data cannot be transferred to one body, as the “citizen’s biometric data base” itself cannot be created in principle because:
– The formation of consolidated personal data files received by state authorities or local authorities from various state holders (owners) of personal data is not allowed 37.
– It is not allowed to combine arrays of personal data collected by holders (owners) for different purposes, for automated processing of information 38.
4)Contrary to the Constitution, legislation in the field of personal data protection is the provision of the draft law, established in paragraph 1 of Art. 6: “The database of biometric data of citizens of the Kyrgyz Republic belongs to the Government of the Kyrgyz Republic.”.
According to the Constitution of the Kyrgyz Republic, “The state, its bodies, local self-government bodies and their officials cannot go beyond the scope of the powers defined by this Constitution and the laws.” 39. That is, the principle “everything is forbidden that is not directly allowed by the laws of the Kyrgyz Republic” applies to state authorities. The powers of the Government are established by Art. 88 of the Constitution and the Constitutional Law “On the Government of the Kyrgyz Republic”. In these regulatory legal acts, the Government does not have the authority to be the owner of a “biometric database of citizens of the Kyrgyz Republic” (as well as it is illegal to create the biometric database itself)
Based on the above, the provisions of art. 3 (definition of the authorized body), p.2 Art. 5, paragraph 4 of Art. 5, paragraph 1 of Art. 6, paragraph 2 of Art. 6 must be excluded.
5)In our opinion, the collection and use of biometric data of citizens of the Kyrgyz Republic cannot be carried out on the principles of “openness (ensuring citizens’ confidence in the use of state of biometric data); “, as established by Article 4 of the draft law.
Since “Personal data held by the holder (owner) is classified as confidential information, except as specified by this Law.” 40; “Everyone is guaranteed protection, including judicial protection, from unlawful collection, storage, and distribution of confidential information and information about the private life of a person” 41.
Thus, instead of the principle of “openness”, the law should be based on the principles of legality, confidentiality and security of personal data of citizens, including biometric.
6)Contradicts the Law on the protection of personal data and international standards in the field of privacy of the provisions of paragraph 5 of Art. 6 of the draft law: “The provision of information, information from the biometric database of citizens of the Kyrgyz Republic is carried out in cases stipulated by laws and other regulatory legal acts of the Kyrgyz Republic, international treaties and agreements to which the Kyrgyz Republic is a party, in the interests of the national security of the Kyrgyz Republic, protection of rights human or by consent of the subject of biometric data. “.
Thus, according to the Law on Personal Data Protection, the Holder (owner) of an array of personal data is entitled to transfer this data to another holder (holder) without the consent of the subject of personal data in the following cases:
– urgently necessary to protect the interests of the subject of personal data;
– at the request of state authorities, local authorities, if the requested list of personal data corresponds to the powers of the requesting authority;
– based on legislation of the Kyrgyz Republic.42
In any case, the holder (owner) of the personal data array is obliged to inform the subject of personal data about the transfer of his personal data to a third party in any form in a week time.43
Under the “transfer of personal data”, in accordance with the Law on the Protection of Personal Data, is meant “the provision by the holder (owner) of personal data to third parties in accordance with this Law and international agreements.” 44
Issues of cross-border transfer of personal data (holders under the jurisdiction of other states) are regulated by Art. 25 of the Law on Personal Data Protection. According to the Law, “The transfer of personal data to countries that do not provide an adequate level of protection of the rights and freedoms of the subjects of personal data may take place under the condition:
– the consent of the subject of personal data on this transfer;
– if the transfer is necessary to protect the vital interests of the subject of personal data;
– if personal data are contained in a publicly accessible array of personal data. “45.
Under the consent of the subject of personal data, the Law means “expressed in any form free, specific, unconditional and conscious will of the person, in accordance with which the subject announces his consent to the implementation of procedures related to the processing of his personal data” 46.
7)For the above reasons, it contradicts the requirements of the Law on Personal Data Protection of the provisions of art. 8 of the draft law: The use of biometric data of citizens of the Kyrgyz Republic can be carried out without the consent of the subject of biometric data only in the case of the administration of justice and the execution of a judicial act, as well as in cases stipulated by the legislation of the Kyrgyz Republic on national security, countering terrorism and corruption, operational search activities other cases determined by the legislation of the Kyrgyz Republic.
Such unjustifiably broad language that does not comply with the legislation in the field of personal data protection makes it possible to fully exempt from the guarantees provided for by the Constitution of the Kyrgyz Republic and the Personal Data Protection Law and cannot be considered acceptable.
According to the Personal Data Protection Act, “Before providing personal data, an entity must be familiar with the holder (owner) of the personal data set with the list of collected data, the grounds and purpose of their collection and use, with the possible transfer of personal data to a third party, and informed otherwise possible use of personal data. ”47.
Article 15 of the Law on the Protection of Personal Data establishes only restrictions on the subject’s rights to provide and receive personal data, which include:
1. the right to provide personal data to the holders (owners) of personal data arrays by the subject – for subjects of personal data that are authorized for state secrets, in accordance with the Law of the Kyrgyz Republic “On Protection of State Secrets of the Kyrgyz Republic”;
2. the rights of the subject to access his personal data, make changes to his personal data, block his personal data:
a) for personal data obtained as a result operational search activities, except in cases where this activity is conducted in violation of the legislation of the Kyrgyz Republic;
b) for the personal data of the subjects detained on suspicion of committing a crime or who are charged in a criminal case, or to whom a preventive measure is applied before being charged to the authorities conducting the specified actions.
At the same time, “Restriction of the subject’s access rights to his personal data, not provided for in part 1 of this article, is not allowed.” 48.
The above list (second paragraph of Article 8 of the draft law) should be brought into line with the Law on the Protection of Personal Data (Article 24, 25 of the Law), on the assumption that all state bodies, local authorities, legal entities that are holders of personal biometric data should consider the requirements of the Law on Personal Data from the point of view of ensuring the rights and freedoms of citizens, enshrined in the Constitution of the Kyrgyz Republic.
Otherwise, the authorities will create a comfortable mode in which they will not actually be repaired by any significant obstacles to the collection, processing and use of personal data of citizens
8)Also, the provisions of paragraph 7 of Art. 6 of the draft law: “Control and supervision over the fulfillment of the requirements established by the Government of the Kyrgyz Republic is carried out by the authorized state body in the field of national security, by the prosecution authorities within the limits of authority.”
According to the Law on the Protection of Personal Data, “Control over the use of personal data obtained by state authorities, local state administrations and local authorities from other state holders (owners) of personal data is exercised by higher authorities, law enforcement agencies, and the Ombudsman (Akyikatchy) of the Kyrgyz Republic Republic in accordance with this Law. “49.
Thus, paragraph 7 of Art. 6 of the bill must be aligned with the provisions of Art. 22 of the Law on the protection of personal data.
Notes:
The Public Foundation "Civil Initiative on Internet Policy," based on the study of best global practices and analysis of the country's legislation, has developed a draft law of the Kyrgyz Republic
The International consortium for the Development of Digital Legislation has successfully completed work on the draft Digital Code for Kyrgyzstan, this document will create a favorable regulatory
Taking into account the significance of telecommunication sector's development, consulting company Promotank in a colaboration with the Public Foundation Civil Initiative on Internet Policy (CIIP)
