Alignment of Legal and Digital Realities

Digital technologies are indeed the most important component of today’s society. Kazakhstan is up-scaling its capacities to implement these technologies in economic, social and other areas. However, the gap between technological innovations and laws regulating these technologies is arguably one of the core reasons underpinning legal uncertainty in shaping uniform digital landscape.

On August 17, 2019, the Ministry of Digital Development, Innovations and Airspace Industry of the Republic of Kazakhstan made the proposed law On Amendments to Some Legislative Acts of the Republic of Kazakhstan regarding Regulation of Digital Technologies available on the e-government web-site for public discussion. *

Is National Biometric Initiative a Legal Grey Zone?

Biometric Identification Initiative is gaining momentum in Kazakhstan. For the security, facilitation and development of digital services, including public, social and commercial services, a remote identification model based, among other things, on various biometric indicants will be developed. The model is expected to identify clients through a database of public and commercial companies, and provide services to the authorities, business and social sector (education, healthcare, census, etc.).

Biometric systems are designed to identify a person by biological and physiological characteristics, such as fingerprints, iris, face, DNA, etc. Looking ahead, it should be noted that the national personal data protection legislation does not contain any legal grounds for the collection of biometric data through the advanced biometric technologies, such as face recognition.

The proposed law On Amendments to Some Legislative Acts of the Republic of Kazakhstan regarding Regulation of Digital Technologies is a step towards implementation of Digital Kazakhstan Program which, among others, envisages a digital identification mechanism, and according to the law developers it will become a fundamental infrastructure conducive to the creation of a uniform digital landscape for the interaction and communication among financial institutions, clients, authorities and business and will reliably raise the level and efficiency of financial, public and other services.*

In general, we acknowledge the proposed development of a remote identification model which relies, among others, on various biometric indents. It is particularly important in the developing context of a universal digital media to provide predictability and legal certainty to this process. Biometry is convenient and can provide a higher security. But some problems need to be addressed such as privacy and data protection. Personal data, including biometric data, should be collected and stored only when it is necessary and reasonable at the same time.

Recent international privacy protection documents oblige countries to take adequate measures to protect personal data accumulated in computerized databases from accidental or unauthorized destruction or accidental loss, as well as unauthorized access, modification or dissemination. The use of biometry becomes prevalent and at the same time the public is wondering: would the new national biometric initiative interfere with human rights to privacy and confidentiality of personal data?

While reviewing the legislative initiative we should look back to the history of biometry policymaking in Kazakhstan. Law of the Republic of Kazakhstan dated 21 May 2013 On Personal Data and Protection defines biometric data as “personal data which characterize physiological and biological characteristics of a subject of personal data for identification purposes.”

Currently, that national legislation applies to dactyloscopy and genome record-keeping only. *

The Dactyloscopy and Genome Record-Keeping Regulations address arrangement and performance of state bodies authorized to undertake dactyloscopy and/or genome record-keeping; collection, processing and protection of dactyloscopy and/or genome information; collection and use of biological samples; personal identification or verification.

Turning to the Law in question, it should be noted that sponsors of the proposed law offer the following definitions to the Informatization Law of the Republic of Kazakhstan:

• Biometric authentication is a personal identification by physiological and biological unvaried characteristics
• Verification of biometric data is authentication of new biometric data of an individual citizen with previously biometric measurement of the identified person.

Standard operating model of a core biometric system includes such steps as data collection and entry, data retrieval, data storage, data comparison and matching. At the same time, the key criterion of any operational biometric system is availability of a database which may store fingerprints, images, facial recognition data and other relevant identifying biometric data! As long as many biometric systems envisage matching with the benchmark, the availability of historical data becomes a key factor; and such data are compiled and may be compiled into a usable and practical database capable of identification and verification.

In Kazakhstan, it is planned to create an integrated platform of biometric data, however, it remained beyond the scope of the proposed law. As a result, in the absence of regulatory requirements to biometric databases the efficiency of biometric identity data management is questionable.

To implement the above biometric authentication and verification it is expected that the mandate of the authority responsible for the delivery of public services will be expanded to include “approval of rules for the collection, storage and use of biometric data for the authentication and verification of individuals in order to facilitate delivery of public services.” On one hand, this is a standard rule-making practice when the rules are approved by the relevant ministry; on the other hand, the biometric data collection and verification process under consideration involves privacy issues, and as such the secondary legislation only is absolutely not sufficient. We may refer to the Report of the UN’s Office of High Commissioner for Human Rights dated 30 June 2014 No. A/HRC/27/37 “The right to privacy in digital age” which concludes that “several States also require that the legal framework be established through primary legislation debated in parliament rather than simply subsidiary regulations enacted by the executive – a requirement that helps to ensure that the legal framework is not only accessible to the public concerned after its adoption, but also during its development in accordance with article 25 of the International Covenant on Civil and Political Rights.” The reference rules of the proposed law pointing to multiple subsidiary and institutional regulations that are hardly controllable by the public may undermine the law and effectiveness of procedures envisaged in it.

To create an efficient regulatory framework with appropriate use of biometric data, control and responsibility over compliance by the authorities with biometric data collection, storage and use there is a need for a separate Law of the Republic of Kazakhstan On Biometric Data.

It is necessary to consider revision of personal data protection legislation of the Republic of Kazakhstan and amendments to reflect latest application of the advanced biometric technologies. The state needs to revise legislation to address the challenges caused by continuous development of biometric technologies. Human rights approach to the use of biometric technologies should envisage procedural protection and efficient compliance control. *

This involves, among others, creation of an appropriate independent supervisory authority to oversee performance of governmental institutions with the authority to provide efficient remedies in the event of non-compliance, and creation of an independent supervisory authority to enforce compliance with privacy and personal data protection laws by governmental institutions. *

National Video Surveillance System – “Untargeted Spying”?

For example, in Almaty, in mass gatherings it is planned to install one thousand facial recognition cameras. The project is called - “Surveillance of Mass Gatherings”. The images will be received by the control center of the Almaty Police Department. The officials say that the software will pick out criminals on the wanted list and will enable police to respond fast to the offences. *

To establish a legal ground for the creation and performance of the National Video Surveillance System (NVSS) in Kazakhstan, the proposed law On Amendments to Some Legislative Acts of the Republic of Kazakhstan regarding Regulation of Digital Technologies defines types of venues subject to compulsory connection to the NVSS, as well as connection methods for venues on a voluntary basis in the Informatization Law.

Use of biometric technologies in forensics and investigation by law enforcement bodies is accepted in a democratic society; however, the state should give a serious consideration to implications of such technologies for human rights to protect people identified by such systems from abuse and guarantee compliance with international obligations secured in international and regional human rights conventions. In international practice, interference with private life is acceptable given the procedures which guarantee lawful compliance are in place.

Legislation in Kazakhstan contains some provisions related to the protection of private life with remedies to protect private life and personal data, forms and procedure to hold liable for the infringement of these rights. They include administrative, civil, criminal responsibility and responsibility under international law. According to clause 1 article 18 of the Constitution of the Republic of Kazakhstan adopted at referendum of 30 August 1995, every person has right to privacy, personal and family secret, protection of honor and dignity. Pursuant to article 145 of the Civil Code of the Republic of Kazakhstan dated 27 December 1994, no one may use image of any face without consent of that person, and in the event of death – without consent of heirs. However, I. Loskutov was right writing in the National Human Rights Action Plan of Kazakhstan, 2015-2020, “the Kazakh criminal intelligence legislation does not provide clear surveillance procedures and conditions, it does not guarantee that collection of information will discontinue as soon objective evidence is obtained to argue against assumption of criminal behavior. Crime control, even for the best of reasons, should not imply waiver of human rights and freedoms. Any current and proposed crime control policy should assess implications for privacy to enable review and provision of information on how policy and technologies mitigate privacy risks. Internal legal framework should be developed for the law enforcement bodies to store and use information which is predictable in terms of implications and subject to thorough check of compliance with public interests.” *

According to international law, the right to privacy is not absolute; it is acknowledged that any interference with the right to privacy should follow rule of law, adequacy and relevance principles. In addition, the State may authorize interference on the basis of law which itself must comply with the provisions, aim and objectives of the Covenant and be well grounded in particular circumstances. *

Any such interference should be made without distinction of race, language, religion, ethnic or social origin, political or other opinion or any other kind envisaged by international law. *

The United Nations’ Special Rapporteur on the Rights to Privacy noted that several countries around the world had identified an over-arching fundamental right to dignity, and the free, unhindered development of one’s personality and abuse of rights to privacy might affect suсh fundamental right. *

The Preambles to the UDHR and ICCPR state that recognizing the inherent dignity and of the equal and inalienable rights of all members of the human family is the foundation of freedom, justice and peace in the world.

Unauthorized use of biometric data may pose a hazard to these rights. Abuse of such data may create serious risks for the rights to the appropriate legal procedure, including right to be presumed innocent and other rights associated with a criminal prosecution. *

In addition, mass-scale collection of such data contrary to the principles of relevance and adequacy may represent violation of right to privacy. *

With regard to legal aspects of image and video content processing, there are some views that until they are used to identify a person they are not deemed biometric data and presently processing of such data is regulated by Personal Data and Protection Law in Kazakhstan because they are not used by the operator (owner of camera or person who made arrangements for operation of the camera) for personal identification purposes. However, these materials when used by the authorities involved into intelligence gathering, inquiry and investigation are biometric data in the instances when the objective of data processing is to identify a certain person. Biometric data may be processed only with the consent in writing of the personal data subject with the exceptions envisaged by the law. The concerned law proposes amendments to the Personal Data and Protection Law of the Republic of Kazakhstan in order to include the NVSS to the instances when the subject’s consent is not required for the collection and processing of personal data.

In this connection, the government should provide effective safeguards against unwanted collection, storage and use of biometric data obtained from video surveillance, and establish oversight by an independent body and guarantee that data subjects have the right to contest their personal data processing by law enforcement authorities. The authorities should disclose information about the right to appeal and existence of grievance mechanism.

In the presence of legitimate purpose and appropriate procedural protection, the state may exercise a fairly intrusive tracking; but still, the state needs to bring evidence that such interference is relevant and adequate to a particular risk. Mass-scale or “all-round” monitoring programs may be deemed unwanted even though they serve the legitimate purpose and were approved by the applicable law.

Judgements in Klaas & others v Germany case of 6 September 1978, Schenk v Switzerland case of 12 July 1988, Kruslin v France case of 24 April 1990 stated that when addressing acceptable interference with private life it is necessary to weigh conflicting interests – public interest to establish truth in a case and private interest to preserve confidentiality of private life. Such position is affirmed by the European Court of Human Rights in one of its recent decisions: “Powers of secret surveillance of citizens are tolerable under the Convention only in so far as strictly necessary for safeguarding the democratic institutions”, “no matter what surveillance system is established, the adequate and efficient safeguards against abuse should be in place”.

Is an Independent Personal Data Authority a Myth or Reality?

As discussed above, personal data regulatory framework is one of the greatest challenges for the state. Certainly, it is worth mentioning that the proposed law On Amendments to Some Legislative Acts of the Republic of Kazakhstan regarding Regulation of Digital Technologies contains a number of positive features intended to ensure confidentiality of personal data. A special mention should be made of a broad - compared to the current version - interpretation of “principle of purpose of data collection and processing” captured in article 14 of Personal Data and Protection Law. In the new version it says that “Processing of personal data should be restricted to the achievement of particular, preset and legitimate aims. No personal data may be processed contrary to the purpose of personal data collection. Content and scope of processed personal data should be compatible with the declared purposes of processing.”

I am pleased to note that the authors tried to capture a so-called ‘principle of personal data quality’ in the above Personal Data and Protection Law worded as follows: “The processed personal data should not exceed the scope of declared objectives of data processing”. In addition, this international basic principle of data protection envisages accuracy of information, adequacy and relevance through updates when needed. These requirements are especially relevant to the use of biometric technologies. Throughout the life-course, personal biometric identification characteristics may change due to maturity or ageing, i.e. a relative size, clarity and legibility of certain features may change. Unfortunately, we have to admit that this principle is not captured in full. Another positive requirement includes prohibited processing of ‘sensitive’ personal data related to race, ethnicity, political views, religious or philosophical opinions, health status, and intimate life.

In this context, the key recommendation of this review is to create in Kazakhstan a special oversight authority to protect personal data which is independent from other authorities, individuals or corporates. The responsibilities should include: review inquiries made by personal data subjects with regard to correspondence of the content of personal data to methods of processing, and appropriate decision-making; raise awareness of personal data subjects concerning rights related to processing their personal data; check information about processing of personal data and engage other authorities to such checks to the extent they are authorized to do so; provide instructions to bring processing of personal data in accordance with principles of the applicable law; decide on suspension or termination of personal data processing in breach of personal data protection in the manner prescribed by law; require from the holder to specify, block or destruct unreliable personal data or data received from illegal sources; file claims to the court to protect personal data subjects’ rights; complete reports of breach of law in the manner prescribed by administrative law; maintain register of personal data holders, etc.

Askar Zhumagaliyev, Minister of Digital Development, Innovations and Airspace Industry of the Republic of Kazakhstan, proposed to authorize the Information Security Committee to undertake protection of personal data (similar to Data Protection Agency in Europe). It was proposed to designate the Ministry as the authority responsible for the collection, processing and protection of personal data with a function to enforce national policy in the field of personal data, exercise government oversight in the field of personal data and approve policy related to collection, processing, accumulation and storage of personal data with the use of ICTs. *

It was proposed that the new functions of the Information Security Committee would include:

• Exercise regulation in the field of personal data
• Maintain the register of personal data operators
• Protect rights of personal data subjects
• Exercise control over compliance with personal data protection.

To our great regret, this revolutionary initiative was not reflected in the final version of the proposed law; the authors merely conferred the Ministry with general powers of government oversight in the field of collection, processing and protection of personal data contained in the electronic information resources.

Recommendations

• Establish a personal data authority independent from other authorities to exercise oversight in the field of safeguards and protection of personal rights and freedoms in the processing and use of personal data, including biometric data
• Create a legal framework for lawful use of biometric systems (facial recognition) in video surveillance
• Explore best legislative practices, develop, discuss and adopt a separate law on biometric data of citizens
• Develop regulatory framework envisaging safeguards against unwanted collection, storage and use of biometric personal data received through advanced applications of biometric technologies, such as facial recognition
• Safeguard that data subjects will be entitled to contest processing of their biometric data by law enforcement bodies. The authorities should disclose information about the right to appeal and existence of grievance mechanism
• Develop regulatory framework envisaging practical safeguards for citizens to have access to information about themselves held by the authorities, and how the authorities should inform citizens that such information is at the disposal of the authorities, to have the capacity to check the type and scope of personal data collected and processed by the authorities, and the use for the objectives other than previously described
• Capture regulatory and technical requirements to biometric databases for the efficiency of biometric ID data management and assessment of biometric system accuracy.

Ruslan Dairbekov, Eurasian Digital Foundation

RDairbekov@digitalrights.asia