The aim of the draft law as stated in Article I is ensuring protection of the inviolability of private life whilst processing personal data. Lasha Tordia one of its initiators states: “Nowadays, the validity of the existent provision on personal data protection in the legislation of Georgia applies to the public instances solely. One of the most significant aspects introduced in the new Draft Law is its impact on the private sector. The objective thereof shall be the implementation of the legislation concerning the personal data protection and oversight of fulfillment thereof.”
Thus, the draft law envisages an obligation of processing personal data both by public and private sectors. The processed data must be transferred to the data protection inspector who will be in charge of controlling the legality of the processing. The term processing implies to any action conducted on the data including its obtainment, release and cancellation.
The regulation of personal data protection is indeed a requisite for democratic society, but the draft law fails to meet this objective and creates the danger of violating private life. Particularly, paragraph B of the Article VI, which envisages processing data of special category (the so-called sensitive data) without the consent of the data subject when the “significant public interest” is at stake. The data of special category is defined as follows: “personal data associated with the individual’s racial or ethnic background, political views, religious or philosophical beliefs, membership of a professional organization, state of health, sex life, criminal history and biometrical data that can identify the above mentioned characteristics.”
The corresponding provision does not fully comply with the Georgian Constitution. The Constitution already draws out the concrete public interests that can give rise to the dissemination of sensitive information. Specifically, paragraph II of the Article 41, states that in order to restrict a fundamental human right, one of the following goals must be met: “when it is necessary for ensuring the state security or public safety, for the protection of health, rights and freedoms of others.”
According to the Georgian Young Lawyers Association (GYLA), the term “significant public interest” carries an unduly broad meaning and the legitimate interests meant under it should be clearly defined. As according to Article II of the Draft Law, its operation does not expand to the objectives of state or public security, defense, operative-detective activities or crime investigation, it is hard to ascertain what public interests are implied here, states the GYLA.
Lasha Tordia defined the idea of ‘significant public interest’ in an interview with Netgazeti: “a kindergarten or a health unit must have information on whether its employee has AIDs or a kindergarten must know about the sexual orientation of its employee.” “We are talking about protecting such information. This data must be used for concrete purposes and cannot be used dishonestly,” – he added.
Yet the draft law creates a possibility of releasing sensitive information for the aim of undefined public interest thus a high risk for dishonest usage. Ucha Nanuashvili, the head of the Human Rights Center (Georgia) states: “Government creates additional mechanisms for exercising pressure on its citizens. In particular, the draft law envisages processing data of people’s political and ideological views, ethnic and religious backgrounds and their sexual orientation. This has been the grounds for persecution of political opponents numerous times before and there is no guarantee that this data will not be used dishonestly. An employer might not hire a person due to his illness, sexual orientation or political views and since this is not public an appeal cannot be made in any instance.”
Another problematic provision inconsistent with the Constitution is Article V, paragraph C of the Draft Law, according to which personal data can be processed if it is necessary for “fulfilling an obligation granted by law”. If Article VI contradicted the Constitution with its overly broad and ambiguous formulation, the problem here is of specific character. “”Fulfilling an obligation granted by law” cannot be grounds for processing personal data. Article 41 of the Constitution constituting these grounds does not envisage such a provision. This means that the Draft Law changes the constitutional regulation of this matter as it establishes its contradictory regulation,”- states Sopho Verdzeuli, a GYLA lawyer.
Moreover, the Draft Law fails to reach a balance between the right of private life and freedom of information. According to Article III, paragraphs G and D of the Draft Law, it does not apply to the “aims related to the public or state security (including economic security), defense, operative-investigative activities, as well as criminal investigation activities” and “processing information of state secrecy.” According to Article XIX, Global Campaign for Free Expression, “Both are framed as class exceptions, meaning that the Draft Law will not apply to any data that falls in one of the relevant categories. No harm test is required and there is no provision for a public interest override. With regard to the exception – protecting data processed in relation to criminal investigations – this would allow police or judicial authorities to shield serious wrong-doing within their departments. This is not only contrary to international standards, inasmuch as it fails to incorporate a harm test or public interest override.”
Georgian Parliament once again fails to ensure the constitutional rights of Georgian citizens. The Draft Law on Personal Data violates one of the fundamental human rights – the inviolability of private life. It creates a possibility of releasing sensitive information for the aim of undefined public interest thus a high risk for its dishonest usage. Moreover, it envisages processing personal data for “fulfilling an obligation granted by law” – a provision inconsistent with the article 41 of the Constitution. And finally, the Draft Law on Personal Data fails to reach a balance between the right of private life and freedom of information as it does not require any harm test or public interest override for the exceptions of its application.