For example, in Almaty, in mass gatherings it is planned to install one thousand facial recognition cameras. The project is called - “Surveillance of Mass Gatherings”. The images will be received by the control center of the Almaty Police Department. The officials say that the software will pick out criminals on the wanted list and will enable police to respond fast to the offences. *
To establish a legal ground for the creation and performance of the National Video Surveillance System (NVSS) in Kazakhstan, the proposed law On Amendments to Some Legislative Acts of the Republic of Kazakhstan regarding Regulation of Digital Technologies defines types of venues subject to compulsory connection to the NVSS, as well as connection methods for venues on a voluntary basis in the Informatization Law.
Use of biometric technologies in forensics and investigation by law enforcement bodies is accepted in a democratic society; however, the state should give a serious consideration to implications of such technologies for human rights to protect people identified by such systems from abuse and guarantee compliance with international obligations secured in international and regional human rights conventions. In international practice, interference with private life is acceptable given the procedures which guarantee lawful compliance are in place.
Legislation in Kazakhstan contains some provisions related to the protection of private life with remedies to protect private life and personal data, forms and procedure to hold liable for the infringement of these rights. They include administrative, civil, criminal responsibility and responsibility under international law. According to clause 1 article 18 of the Constitution of the Republic of Kazakhstan adopted at referendum of 30 August 1995, every person has right to privacy, personal and family secret, protection of honor and dignity. Pursuant to article 145 of the Civil Code of the Republic of Kazakhstan dated 27 December 1994, no one may use image of any face without consent of that person, and in the event of death – without consent of heirs. However, I. Loskutov was right writing in the National Human Rights Action Plan of Kazakhstan, 2015-2020, “the Kazakh criminal intelligence legislation does not provide clear surveillance procedures and conditions, it does not guarantee that collection of information will discontinue as soon objective evidence is obtained to argue against assumption of criminal behavior. Crime control, even for the best of reasons, should not imply waiver of human rights and freedoms. Any current and proposed crime control policy should assess implications for privacy to enable review and provision of information on how policy and technologies mitigate privacy risks. Internal legal framework should be developed for the law enforcement bodies to store and use information which is predictable in terms of implications and subject to thorough check of compliance with public interests.” *
According to international law, the right to privacy is not absolute; it is acknowledged that any interference with the right to privacy should follow rule of law, adequacy and relevance principles. In addition, the State may authorize interference on the basis of law which itself must comply with the provisions, aim and objectives of the Covenant and be well grounded in particular circumstances. *
Any such interference should be made without distinction of race, language, religion, ethnic or social origin, political or other opinion or any other kind envisaged by international law. *
The United Nations’ Special Rapporteur on the Rights to Privacy noted that several countries around the world had identified an over-arching fundamental right to dignity, and the free, unhindered development of one’s personality and abuse of rights to privacy might affect suсh fundamental right. *
The Preambles to the UDHR and ICCPR state that recognizing the inherent dignity and of the equal and inalienable rights of all members of the human family is the foundation of freedom, justice and peace in the world.
Unauthorized use of biometric data may pose a hazard to these rights. Abuse of such data may create serious risks for the rights to the appropriate legal procedure, including right to be presumed innocent and other rights associated with a criminal prosecution. *
In addition, mass-scale collection of such data contrary to the principles of relevance and adequacy may represent violation of right to privacy. *
With regard to legal aspects of image and video content processing, there are some views that until they are used to identify a person they are not deemed biometric data and presently processing of such data is regulated by Personal Data and Protection Law in Kazakhstan because they are not used by the operator (owner of camera or person who made arrangements for operation of the camera) for personal identification purposes. However, these materials when used by the authorities involved into intelligence gathering, inquiry and investigation are biometric data in the instances when the objective of data processing is to identify a certain person. Biometric data may be processed only with the consent in writing of the personal data subject with the exceptions envisaged by the law. The concerned law proposes amendments to the Personal Data and Protection Law of the Republic of Kazakhstan in order to include the NVSS to the instances when the subject’s consent is not required for the collection and processing of personal data.
In this connection, the government should provide effective safeguards against unwanted collection, storage and use of biometric data obtained from video surveillance, and establish oversight by an independent body and guarantee that data subjects have the right to contest their personal data processing by law enforcement authorities. The authorities should disclose information about the right to appeal and existence of grievance mechanism.
In the presence of legitimate purpose and appropriate procedural protection, the state may exercise a fairly intrusive tracking; but still, the state needs to bring evidence that such interference is relevant and adequate to a particular risk. Mass-scale or “all-round” monitoring programs may be deemed unwanted even though they serve the legitimate purpose and were approved by the applicable law.
Judgements in Klaas & others v Germany case of 6 September 1978, Schenk v Switzerland case of 12 July 1988, Kruslin v France case of 24 April 1990 stated that when addressing acceptable interference with private life it is necessary to weigh conflicting interests – public interest to establish truth in a case and private interest to preserve confidentiality of private life. Such position is affirmed by the European Court of Human Rights in one of its recent decisions: “Powers of secret surveillance of citizens are tolerable under the Convention only in so far as strictly necessary for safeguarding the democratic institutions”, “no matter what surveillance system is established, the adequate and efficient safeguards against abuse should be in place”.
Is an Independent Personal Data Authority a Myth or Reality?
As discussed above, personal data regulatory framework is one of the greatest challenges for the state. Certainly, it is worth mentioning that the proposed law On Amendments to Some Legislative Acts of the Republic of Kazakhstan regarding Regulation of Digital Technologies contains a number of positive features intended to ensure confidentiality of personal data. A special mention should be made of a broad - compared to the current version - interpretation of “principle of purpose of data collection and processing” captured in article 14 of Personal Data and Protection Law. In the new version it says that “Processing of personal data should be restricted to the achievement of particular, preset and legitimate aims. No personal data may be processed contrary to the purpose of personal data collection. Content and scope of processed personal data should be compatible with the declared purposes of processing.”
I am pleased to note that the authors tried to capture a so-called ‘principle of personal data quality’ in the above Personal Data and Protection Law worded as follows: “The processed personal data should not exceed the scope of declared objectives of data processing”. In addition, this international basic principle of data protection envisages accuracy of information, adequacy and relevance through updates when needed. These requirements are especially relevant to the use of biometric technologies. Throughout the life-course, personal biometric identification characteristics may change due to maturity or ageing, i.e. a relative size, clarity and legibility of certain features may change. Unfortunately, we have to admit that this principle is not captured in full. Another positive requirement includes prohibited processing of ‘sensitive’ personal data related to race, ethnicity, political views, religious or philosophical opinions, health status, and intimate life.