Conclusion of the Russian expertise on the draft Law of the Kyrgyz Republic “On Biometric Registration of Citizens of the Kyrgyz Republic”

CONCLUSION

on the draft law of the Kyrgyz Republic

“On biometric registration of citizens of the Kyrgyz Republic”

The draft Law of the Kyrgyz Republic “On Biometric Registration of Citizens of the Kyrgyz Republic” (hereinafter – the Draft Law) aims to create a unified database of biometric data of citizens of the Kyrgyz Republic, providing for the obligation (for citizens) to submit their data.

It is necessary to immediately stipulate that the collection of biometric data on individuals is currently carried out in many countries of the world. The purpose of the collection, one way or another, is identification and authentication in difficult situations, such as:

a) crossing the state border (currently, the UN ICAO has adopted the Doc 9303 standard, which includes the inclusion of biometric identification information in travel documents; similarly, biometric information is processed in the VIS system in the European Union on the basis of Regulation (EC) N 767/2008, in the USVisit system The United States on the basis of a number of federal laws);

b) rendering assistance to persons of dangerous professions or their relatives (in the event of death) – for this purpose, fingerprinting of military personnel, law enforcement officers, firemen, rescuers, etc .;

c) prevention and prevention of crimes – for which biometric data of criminals or suspects is collected.

In the Russian Federation in the situations specified in paragraphs “b” and “c”, mandatory fingerprint registration is carried out in the manner established by Federal Law No. 128-FZ of July 25, 1998 “On State Dactyloscopic Registration in the Russian Federation”. In foreign countries, cases of mandatory fingerprinting, as well as the collection of other biometric information, are provided for by national legislation.

Taking into account the above, and not disputing the very possibility of collecting biometric information about citizens, I would like to highlight the cases of collection provided for by the Draft Law, the composition of the collected and stored data and the purposes for which the specified data is collected and stored.

1)The draft law (Part 1 of Article 5) establishes that every citizen of the Kyrgyz Republic is obliged to undergo biometric registration in accordance with the draft law. It does not make any exceptions, including for young citizens, citizens suffering from mental disorders, citizens permanently residing abroad, people whose beliefs do not allow them to provide biometric data. It seems that it is precisely with the obligatory registration that the main difficulties of the Draft Law are related: both in terms of contradiction to its acts of higher legal force, and in the implementation of the provisions of the Draft Law.

Article 6 of the Constitution of the Kyrgyz Republic establishes that the international treaties that have entered into force in accordance with the law, to which the Kyrgyz Republic is a party, as well as generally accepted principles and norms of international law are an integral part of the legal system of the Kyrgyz Republic. The norms of international human rights treaties have direct effect and priority over the norms of other international treaties. Meanwhile, the principle of voluntariness in the provision of personal – and, above all, biometric data can be fully considered as generally accepted. Thus, it is worth noting the provisions of the Agreement on cooperation in the creation of state information systems of passport and visa documents of the new generation signed by the Kyrgyz Republic and their further development and use in the CIS member states (Chisinau, November 14, 2008) (hereinafter referred to as the Chisinau Agreement). Article 2 of the agreement provides that biometric data, that is, information that characterizes the physiological characteristics of a person and on the basis of which his personality can be established (digital photo, fingerprints, an image of the iris and other biometric personal data), can be processed only if consent in writing to the subject of personal data in accordance with the legislation of the States Parties to this Agreement. The Charter of Fundamental Rights of the European Union (Strasbourg, December 12, 2007) (2007 / C 303/01) establishes as a legal principle that personal data must be processed in good faith, for stated purposes and with the consent of the person concerned or other legitimate reasons, stipulated by law.

2)The establishment of a mandatory biometric registration requires, firstly, an extremely specific definition of the purposes for which the collected biometric data are used, and secondly, the existence of a reasonable list of exceptions to mandatory registration. The draft law does not provide for either: the purpose of using the collected biometric information is defined extremely vaguely (Article 2 and Article 7), and the list of exceptions is not provided at all.

Meanwhile, the principle of proportionality of the processing of personal data and compliance of operations with them to the goals is considered as the basic principle of personal data protection.1 Data, especially biometric, should be collected in the form that is optimal (in terms of volume, content, presentation form, etc.) for the purposes of their use. So, in order to identify the perpetrator, it is necessary to store dactylograms, for identification at crossing the border, digital fingerprints (images of the face or iris of the eye) are needed, and it is desirable to store DNA samples for identification of corpses.

Uncertainty about the use of collected biometric data raises the question of how important the collected database of biometric data will be. For example, when issuing a passport or travel document to a citizen of the Kyrgyz Republic, will “reference” fingerprints be used from the base, or will fingerprints be taken repeatedly? Can information from the biometric database be provided to foreign countries, including in accordance with international extradition treaties, on countering terrorism? Can biometric information (a closed list of which is not legally established) be used to establish paternity?

Faced with similar problems, in most countries, firstly, they do not provide for the mandatory collection of biometric data, secondly, they delimit the stored data by the purposes of their processing, as a rule, avoiding the centralized storage of biometric data. Thus, the collection of biometric information for the issuance of a travel document is carried out only at the request of a citizen. At the same time, neither ICAO documents nor the legislation of many countries provide for centralized biometric data after issuing a travel document: all data is stored directly on the carrier in a passport.2 Thus, a number of goals are achieved: proportionality of personal data processing, their timely updating, protection from massive leaks and so forth

3)Due to the fact that biometric data is by definition personal data, legislation on the protection of personal information is fully applicable to their processing. Meanwhile, the procedures provided for by this legislation are not synchronized with the procedures provided for by the Draft Law.

Thus, the Law of the Kyrgyz Republic of April 14, 2008 N 58 “On Personal Information” provides for the broad rights of the subject of personal data, which, of course, also applies to biometric information processed in accordance with the Draft Law. The subject of personal data independently resolves the issue of providing anyone with any of his personal data. Before providing his personal data, the subject must be familiar with the holder (owner) of the personal data array with the list of collected data, the grounds and purposes for their collection and use, with the possible transfer of personal data to a third party, and also informed about other possible use of personal data. The subject of personal data in case of refusal to provide its data has the right not to indicate the reasons for its refusal. The subject of personal data has the right to know about and have access to the personal data associated with the holder (owner) of his personal data. No exceptions are made for biometric registration from these provisions! Formally, any citizen of the Kyrgyz Republic can first go through biometric registration, and then demand termination of the processing of their personal data in the biometric database.

4)The problems described above with legal technique and, as a result, with the implementation of the Draft Law, are forced to conclude that it has a corruptibility. In particular, in what situations the measures of responsibility for evasion from biometric registration provided by the Draft Law will be applied. Most likely, these will be cases of the provision of public services: the issuance of permits, the registration of rights and acts of state, the crossing of the state border. Failure of biometric registration is the reason for bringing the applicant to responsibility or extortion of a bribe for not taking it.

Taking into account the above remarks, it seems most appropriate to introduce amendments to the Draft Law that abolish the obligation of biometric registration and set specific goals for processing biometric information and the composition of information processed for this purpose. Implementation of a biometric registration as a pilot project in one or several localities, linked to the provision of any state or municipal services, could also be effective. If such a pilot project is successful, it will be possible to draw conclusions about the expansion of cases of voluntary biometric registration.

N. A. Dmitrik

Ph.D.

Head of Legal Consulting

PA “Park Media Consulting”

Moscow, 07/09/2014

1. The Convention on the Protection of Individuals with the Automated Processing of Personal Data (Strasbourg, January 28, 1981) postulates this principle as follows: personal data undergoing automatic processing:

b) must be accumulated for precisely defined and legitimate purposes and not be used contrary to these goals;

c) must be adequate, relevant and not excessive in relation to the purposes for which they are accumulated;

2. Speaking of “many” countries, it is worth mentioning, at a minimum, the United States, the Federal Republic of Germany and the Russian Federation, whose laws prohibit the centralized storage of biometric data entered in travel documents.