SUMMARY To the draft Law of the Kyrgyz Republic “On the of biometric registration of citizens of the Kyrgyz Republic”

SUMMARY

To the draft Law of the Kyrgyz Republic

“On the of biometric registration of citizens of the Kyrgyz Republic”

Having examined the draft Law of the Kyrgyz Republic “On the of biometric registration of citizens of the Kyrgyz Republic” (hereinafter a bill / draft Law), Public Fund “Civil Initiative on Internet Policy” (hereinafter – PF “CIIP”) notes that the bill contains legal flaws that create an opportunity for ambiguous interpretation of certain provisions contained therein, which in practice may lead to arbitrary interpretation and inadequate application of the draft legislative act and, as a result, to unduly limit the rights and freedoms of man and citizen. The bill does not comply with the Constitution of the Kyrgyz Republic, the Civil Code of the Kyrgyz Republic, the Law of the Kyrgyz Republic “On information of a personal nature” of April 14, 2008 N 58, the international standards for the protection of personal data.

KEY SUMMARY

1) One of the major gaps and shortcomings of the bill – unfounded none-classification of biometric information to information of a personal nature/personal data. Whereas according to the legislation of the Kyrgyz Republic¹ biometric data of citizens are personal data. And, therefore, should be subject to all the guarantees and principles laid down in the Constitution and legislation of the Kyrgyz Republic on privacy and the right to self-determination in relation to their personal data.

The basic principles that are enshrined in the Constitution, the Civil Code, the legislation of the Kyrgyz Republic in respect of the personal data of citizens – a citizen’s right to privacy and the protection of private (personal) life, personal data are confidential information in relation to personal data, the principle of self-determination is applied.

Thus, international standards in the field of personal data protection and legislation of the Kyrgyz Republic unequivocally establish that only the data subject has the right to decide whether or not to provide his/her personal information to anyone, he/she has the right to refuse granting them without cause, and has the right to demand and lock destruction of his/her personal data. That is inalienable, constitutionally guaranteed and irreparably to any restrictions of the right to personal data subject.

With the above mentioned provisions of the legislation of the Kyrgyz Republic, no legislative act² may impose (i.e. may not) a duty on of citizens to provide their personal data mandatory, no public body shall not require mandatory submission of personal data.

2) It is doubtful whether one of the problems’ reachability to be resolved by the bill: “compiling an actualized list of voters³.” As indicated above, submit or not their personal data – the right of every subject. Therefore, any citizen who has the passive suffrage has the right without giving any reason refuse to submitting his/her biometric personal data. Hence the task of forming the list of voters based on biometric data of citizens can not be solved.

Moreover, according to the Constitution of the Kyrgyz Republic, “to vote and to be elected” – a constitutional right⁴of citizens, not an obligation; “Elections shall be free»⁵. Hence it is not clear whether the citizens who do not provide their biometric personal data, are approved to the elections, and if not, on what grounds will act this ban? And further, if the participation on elections is the right of a citizen, on what basis the submission of their biometric personal data to generate a list of voters is assigned to the duties by the bill.

3) In almost all countries of the world collection of biometric personal data of citizens is carried with one purpose – to implement passports and exit / entry passorts of new generation. It should be noted that in 2002, 118 countries have signed under the auspices of ICAO New Orleans agreement «Doc 9303. Readable Travel Documents. Part 1 Machine Readable Passports. Volume 2. Specifications for electronic passports with biometric identification means “that recognizes biometrics of faces as identification basis for passports and entry visas of next generation.

Ie biometric personal data may be collected in fact mainly to create passports and visas with the mandatory provision of the confidentiality of such data and all legal requirements in the area of privacy.

By this path went Ukraine⁶, Russian Federation⁷, Turkmenistan⁸, Moldova⁹, and other countries.

This takes into account the phasing (gradual replacement of old passports with passports of new generation) and voluntary (self-determination of citizens in relation to their personal data).

4) The very united in one place “biometric data base of citizens” that “belongs to the Government of the Kyrgyz Republic¹⁰“, in principle, can not be established in principle, because:

– Formation of the consolidated array of personal data collected by state or local governments from various public shareholders (owners) of personal data is not allowed¹¹.

– it is not allowed to join array of personal data collected by holders (holders) for different purposes, for automated data processing¹².

5) Before the collection of biometric personal data of citizens, the Government of the Kyrgyz Republic is absolutely necessary to implement the following measures under the Law on the protection of personal data:

• To create a authorized body within the meaning of the Law on the protection of personal data, which will be responsible for the registration of holders (owners) of the array of personal data, keeping of a Register of an array of personal data; or impose such duties on a state body;

• To perform mandatory registration in the authirozied state body of:

– Array of personal data;

– Holders (owners) of these arrays;

– To create a register of holders of the array of personal data (fixing mentioned under Art. 30 of the Law on Protection of Personal Data).

• Post in Mass media the Registry of holders of personal data to the public.

More detail about all legal shortcomings of the bill analysis is provided below.

ANALYSIS OF THE MAIN PROVISIONS OF LAW:

1. Unreasonably bill does not refer (does not classify) the biometric data to personal information / personal data. Cited in the draft law the definition of “personal data” does not correspond to the Law of the Kyrgyz Republic “On information of a personal nature” (hereinafter – the Law on personal data).

Thus, according to Article 3 of the above Law, “Information of a personal nature (personal data) – is recorded information on a tangible medium about a particular person, identified with a particular person or which can be identified with a specific person, which allows to identify this person, directly or indirectly, by reference on one or more factors specific to his biological, economic, cultural, civil or social identity. Personal data include biographical and identifying data, personal characteristics, information on marital status, financial status, health and so on”.

Thus, according to the legislation of the Kyrgyz Republic citizen’s biometric data are personal data. A similar approach (allocation of biometric data to personal data) is used in international practice, in the legislation of other states (including Russia, Kazakhstan, Lithuania, Ukraine, European countries).

Thus, in our view, in the definition of “biometric data” it is necessary to indicate that the “biometric data – is personal data (hereinafter referred to).”

Cited in the draft definition of personal data must either be deleted or bring it to the wording of the Law on Personal Data (in Art. 3).

2. Justification of the inclusion in the bill of the following provisions is doubtful:

– “The collection and use of biometric data of citizens of the Kyrgyz Republic based on the principles of mandatory biometric registration¹³;”

– “In addition to the biometric data of citizens of the Kyrgyz Republic, the mandatory collection, storage and processing of personal data is also a subject to a citizen of the Kyrgyz Republic¹⁴“;

– “The Government of the Kyrgyz Republic defines a list of the personal data of citizens of the Kyrgyz Republic to be collected on a mandatory basis¹⁵“;

According to international standards in the field of personal data protection, personal data must be obtained and used in good faith and lawful manner that requires, above all, the presence of the subject’s consent, ie the realization of the right to informational self-determination. Every individual has the right to self-determination in the use, transfer and disclosure of his/her personal data. International recognized standards in the field of personal data protection require to ensure maximum the right to self-determination in relation to his/her personal data, which, in theory at least, gives people the ability to defend their rights to the protection of data in any form of processing.

The need for protection of personal data is based on one of the fundamental human rights – the protection of the privacy. Article 12 of the Universal Declaration of Human Rights (adopted and proclaimed by General Assembly resolution 217 A (III) of the General Assembly on December 10, 1948) states: “No one shall be subjected to arbitrary interference with his privacy, family, random attacks on the inviolability of his home, his secret correspondence or on his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Inability to guarantee the right to protection of personal data jeopardizes other related rights and freedoms, including freedom of expression, freedom of peaceful assembly, freedom of access to information, the principle of non-discrimination, and ultimately – the stability of the constitutional democratic principles. Therefore, in Article 17 of the International Covenant on Civil and Political Rights (ICCPR, New York, 19 December 1966), this formulation has been extended in terms of unlawful interference and abuse and sounds like this: “No one shall be subjected to arbitrary or unlawful interference with his privacy and family life, arbitrary or unlawful interference with his or her home or correspondence, nor to unlawful attacks on his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

According to the Constitution of the Kyrgyz Republic, “The Constitution has supreme legal force and direct effect in the Kyrgyz Republic. Entered in accordance with the law in force of international treaties ratified by the Kyrgyz Republic, as well as the generally recognized principles and provisions of international law are an integral part of the legal system of the Kyrgyz Republic. Provisions of international human rights treaties have direct effect and priority over other norms of international treaties¹⁶“. “Human rights and freedoms are inalienable and belong to everyone from birth. Provisions rights and freedoms are the supreme value. They act directly; determine the meaning and content of the legislative, executive authorities and local self-government”. “The Kyrgyz Republic should not be passing laws abolishing or diminishing the rights and freedoms of man and citizen.”. “The law can not impose restrictions of rights and freedoms for other purposes and to a greater extent than is provided for by the Constitution“¹⁷. “Everyone is entitled to privacy…” ¹⁸. The collection, storage, use and dissemination of confidential information about the private life of a person without his consent is not allowed, except as required by law. Everyone shall be guaranteed protection, including the judiciary, from improper collection, storage, disclosure of confidential information and information about the privacy of individuals, as well as guaranteed right to compensation for material and moral damages caused by unlawful actions”¹⁹.

According to the Law on Personal Data Protection, “The subject of personal data independently decides whether to grant anybody any of their personal information, except as provided for in Article 15 of this Law”²⁰. “The subject of personal data in case of failure in the provision of their data have the right not to give reasons for its refusal²¹“.

Moreover, according to the Law on Personal Data Protection, “If the subject of personal data reveals their reliability or contesting the legality of actions in respect of his personal data, he may require the holder (owner) to block the data“²². “In the case of establishing the illegality of collecting personal data holder (holder) must destroy relevant data immediately after the establishment of such a document and notify the data subject”²³.

Thus, international standards in the field of personal data protection and legislation of the Kyrgyz Republic unequivocally establish that only the data subject has the right to decide whether or not to provide his/her personal information to anyone, he/she has the right to refuse granting them without cause, and the right to demand block and destruction of his/her personal data. That is inalienable, constitutionally guaranteed and irreparably any restrictions of the right to personal data subject.

With the above mentioned provisions of the legislation of the Kyrgyz Republic, no legislation can impose a duty on citizens to provide their personal data mandatory; no state body shall not require mandatory submission of their personal data. Therefore, the provisions set out in Articles 4 and 5 of the bill (in terms of mandatory biometric registration, compulsory submission of personal data) shall be excluded from the bill.

3. The provisions of the bill are of the authorized body in the field of biometric registration are also not relevant to legislation of the Kyrgyz Republic in the field of personal data protection.

Thus, according to a draft law, “authorized state body in the sphere of biometric registration – is the state body authorized by the Government of the Kyrgyz Republic, to carry out the functions of collection, storage, use, processing, updating and protecting biometric database, and other personal data of citizens of the Kyrgyz Republic”²⁴. And further: “The biometric registration of citizens of the Kyrgyz Republic, residing on the territory of the Kyrgyz Republic is carried out by the authorized state body in the order determined by the Government of the Kyrgyz Republic”²⁵; “Biometric data of citizens of the Kyrgyz Republic in the established order is transmitted to data processing centers of authorized state body”; “The holder of biometric data base of citizens of the Kyrgyz Republic is determined by the Government”²⁶.

These provisions of the bill are directly contrary to the provisions of the Law on Personal Data Protection.

Thus, the “holder (holder) of the array of personal data – the state bodies, local authorities and legal persons entrusted with the authority to determine objectives, categories of personal data and control the collection, storage, processing and use of personal data in accordance with this Law”²⁷. “State bodies, local authorities, working with arrays of personal data in accordance with this Law and other legal acts of the Kyrgyz Republic have the right to act as of holders (owners) of personal data”²⁸.

Ie holders of personal data arrays may be relevant State agencies, local governments and even legal persons in whose possession may be the personal data of citizens and that handle the personal data – “any operation or set of operations regardless of the way the holder (owner) of personal data or on his behalf, with automated means or without, in order to collect, record, store, update, group, block, erasure and destruct the personal data²⁹“. “State bodies and local authorities in their work may use personal data held by other of holders (owners) of personal data.” ³⁰

In this case the duty of the Government of the Kyrgyz Republic is³¹ to determine the authorized state body – the state agency with responsibilities for registration of holders (owners) of the array of personal data register, keeping of array of personal data and other tasks under this Law³², as well as to “take account of and registration of personal data arrays and their holders (owners).” ³³

Thus, the authority shall exercise the functions of registration of holders (owners) of the array of personal data, keeping of holders’ register, as indicated in the draft definition of “authorized body” is contrary to the requirements.

Moreover, according to the Law on Personal Data Protection and international standards in this area, one body can not perform the functions “on the collection, storage, use, processing, updating and protecting of biometric database, and other personal data of citizens” (all of these actions in the Law protection of personal data are combined into one definition – “processing of personal data”), biometric data can not be transmitted in one body, like the “biometric data base of citizens” in principle can not be created because:

 – Formation of the consolidated arrays of personal data collected by state or local governments from various state holders (owners) of personal data is not allowed³⁴.

– Not permissible to combine the array of personal data collected by holders (holders) for different purposes, for automated data processing³⁵.

4. Contrary to the Constitution, to the Law on personal data protection is the provision of the bill set by paragraph.1 Art.6: “The base of biometric data of citizens of the Kyrgyz Republic belongs to the Government of the Kyrgyz Republic”.

According to the Constitution of the Kyrgyz Republic, “The state, its agencies, local governments and their officials can not go beyond the powers defined by the Constitution and laws”³⁶. Ie in respect to state authorities, there is a principle “everything is forbidden that expressly is not permitted by the laws of the Kyrgyz Republic.” Powers of the Government are established by Article 88 of the Constitution and the Constitutional Law “On the Government of the Kyrgyz Republic.” In these normative legal acts the Government has no authority to be the owner of “biometric data base of citizens of the Kyrgyz Republic” (as well as the creation of the database of biometrics itself is illegal).

Based on the foregoing, shall be excluded from the bill provisions of Art. 3 (definition of authority), paragraph 2 of Art. 5, paragraph 4 of Art. 5, paragraph 1 of Art. 6, paragraph 2 of Art. 6.

5. In our opinion, the collection and use of biometric data of citizens of the Kyrgyz Republic can not be done on the principles of “openness (to ensure public confidence in the use of biometric data state)”, as it is established in Article 4 of the bill.

Since the “Personal Data under the jurisdiction of the holder (owner) refer to confidential information, except as defined in this Law”³⁷; “Everyone is guaranteed protection, including the judiciary, from improper collection, storage, disclosure of confidential information and information about the private life of a person. ³⁸”

Thus, instead of the principle of “openness”, the bill should be based on the principles of legality, privacy and security of citizens’ personal data, including biometrics.

6. Provisions of paragraph 5 of Art. 6 bill is contrary to the Law on personal data protection and international standards in the field of privacy: “Providing information, facts from the database of biometric data of citizens of the Kyrgyz Republic, carried out in the cases provided for by laws and other legal acts of the Kyrgyz Republic, international treaties and agreements the Kyrgyz Republic is a participant of which, in the interests of national security of the Kyrgyz Republic, human rights or with the consent of the subject of biometric data“.

Thus, according to the Law on Personal Data Protection, the Holder (winner) of array of personal data is entitled to transfer the data to another holder (owner) without the consent of the data subject in the following cases:

– Absolutely necessary to protect the interests of the data subject;

– Upon request of state bodies, local governments, if the requested list of personal data corresponds to the powers of the requesting authority;

– On the basis of the legislation of the Kyrgyz Republic³⁹

Thus in any case the holder (holder) of the array of personal data is obliged to inform the data subject of the transfer of personal data to third parties in any form within a week⁴⁰.

By “transmission of personal data,” according to the Law on Personal Data Protection, is defined as “the provision of the holder (owner) of personal data to third parties in accordance with this Law and international treaties”⁴¹.

Issues of cross-border transfer of personal data (to the holders under the jurisdiction of other States) are regulated by Article 25 of the Law on Personal Data Protection. According to the Law, “The transmission of personal data to countries that do not provide an adequate level of protection of the rights and freedoms of data subjects, there may be provided in a case:

– The existence of consent of the data subject to the transfer;

– If the transfer is necessary to protect the vital interests of the data subject;

– If the personal data contained in the shared array of personal data”⁴².

Under the consent of the subject of personal data Law understands “expressed in any form free, specific, unequivocal and informed will of the person, in accordance with which the subject notifies its consent for the procedures related to the processing of personal data⁴³”.

7. For the above mentioned reasons the provisions of Art. 8 of the Bill contradicts the requirements of the Law on Personal Data Protection: The use of biometrics of citizens of the Kyrgyz Republic can be carried out without the consent of subject of the biometric data only in the case of the administration of justice and comply with a judgment, and in cases stipulated by the legislation of the Kyrgyz Republic on national security, counter-terrorism and corruption, operational and investigative activities and other cases determined by the legislation of the Kyrgyz Republic.

Such unduly broad terms, contrary to the law in the protection of personal data, allow you to completely waive the safeguards provided by the Constitution and the Law on the protection of personal data and can not be deemed acceptable.

According to the Law on Personal Data Protection, “Before providing their personal data subject must be made aware of the holder (owner) of the array of personal data with the list of collected data bases and purposes of their collection and use, with the possible transfer of personal data to third parties, as well as informed otherwise possible use of personal data“⁴⁴.

Article 15 of the Law on protection of personal data sets only restrictions on the rights of the subject to the provision and receipt of their personal data, which include:

1) the right to provide the subject of the personal data to holders (owners) arrays of personal data – for data subjects admitted to the information constituting a state secret – in accordance with the Law “On the Protection of State Secrets of the Kyrgyz Republic”;

2) access rights for subjects to their personal data, make changes to their personal data, the blocking of their personal data:

a) personal data obtained as a result of operative-search activity, excepting cases where this activity is carried out in violation of the legislation of the Kyrgyz Republic;

b) personal data for subjects who were detained on suspicion of committing a crime or indicted in a criminal case, or to which the preventive punishment before being charged in the bodies carrying out these actions.

The “Limitation of subject’s rights to access to their personal data, not provided for by paragraph 1 of this Article shall not be permitted”⁴⁵.

The above list (the second paragraph of Article 8 of the Bill) should be brought into line with the Law on the protection of personal data (Articles 24 and 25 of the Act), based on the fact that all of the state bodies, local governments, legal persons who are holders of personal biometric data should consider the requirements of the personal data from the viewpoint of human rights and freedoms enshrined in the Constitution of the Kyrgyz Republic.

Otherwise, the public authorities will create a comfortable regime under which they will not actually be repaired no significant obstacles in collecting, processing and use of personal data of citizens.

8. Provisions of paragraph 7, Art. 6 of the Bill also does not correspond to the Law on Personal Data Protection, “Control and supervision of compliance with the requirements established by the Government of the Kyrgyz Republic shall be exercised by the authorized state body in the sphere of national security, prosecutors within the authority”.

According to the Law on Personal Data Protection, “Control over the use of personal data collected by state bodies, local administrations and local authorities from other state holders (owners) of personal data is carried out by the higher authorities, law enforcement agencies, as well as the Ombudsman (Akyikatchy) of the Kyrgyz Republic in accordance with this Law”⁴⁶.

Thus, paragraph 7 of Art. 6 of the Bill should be brought into conformity with the provisions of Art. 22 of the Law on Personal Data Protection.