Issue 1, 2014. February-March

   

PRIVACY MATTERS

Georgia made one step forward in a recently published 2014 World Bank Doing Business Report - an annual survey of the ease of doing business around the world - and now it holds the 8th place among 189 countries, in large part due to the implementation of a new law on personal data protection. Lawyer Giorgi Narmania looks at the development of personal data protection regime in Georgia.

Giorgi Narmania

Introduction

Forty years has passed since Sweden's Data Act of 1973, the first comprehensive national data privacy law, was enacted. In 1995 the EU Data Protection Directive was adopted and it is regarded as the foundation of a modern global data protection regime. Currently there are more than one hundred countries with data privacy laws, while up to twenty other jurisdictions are in the process of promulgating privacy laws and have official bills under review before their legislatures or governments.

The Georgian Law on Personal Data Protection was enacted on December 28, 2011 and entered into force on May 1, 2012. It is, by and large, in line with the EU Data Protection Directive and applies to the processing of personal data in the territory of Georgia by public and private entities. Protection of personal data constitutes an essential part of the recently initialed EU-Georgia Association Agreement, which provides for cooperation in order to ensure a high level of protection of personal data in accordance with the international standards.

The law was merely on the books, however, until summer 2013, when a Personal Data Protection Inspector was appointed and the Inspector's Office was established. The Office is now fully operational and it has already adopted a few guidelines related to the transfer of personal data abroad, processing of biometric data and the running of filing system catalogues. While the law provides a grace period for the private sector for some of its provisions until January 1, 2016 - the Inspector's Office cannot examine private companies' compliance with legal provisions or impose sanctions for breach until this date - the law is already applicable to private companies. This means that individuals can themselves sue private companies in court for violations of their privacy rights.

Impact on Private Companies

The law prescribes significant obligations for companies that process personal data. "Personal data" means any information relating to an identified or identifiable individual and includes one's name, personal identification number, address, date of birth, telephone number, etc. The law applies to personal data of employees, customers or any other third-party service providers. It affects the whole process of the personal data life cycle, i.e. collection, use, storage and destruction of personal data. The personal data must be processed in accordance with the principles set by the law, such as: an individual's consent to process his/her personal data shall be obtained; personal data shall be processed only for explicitly specified legitimate purposes; data shall be adequate and not excessive in relation to the purposes for which it is processed; data shall be valid and accurate and can be only kept for as long as it is necessary for the data processing purposes, etc.

The law imposes stricter obligations with respect to sensitive personal data and biometric data. Sensitive personal data refers to any personal data that contains any of the following attributes: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, state of health, sex life or criminal record. Biometric data means physical, mental or behavioral features of the person and includes fingerprints, facial features, DNA, etc.

The financial services, telecommunication and healthcare industries have to observe the requirements set by the law with special diligence. These sectors keep large volumes of customer information, including personal data, which was collected and maintained over the years. Therefore, they might have to review entire process-chain of their business.

"It is a well-established practice in Georgia to collect as much data as possible since you do not know what type of data you need and when," noted Personal Data Protection Inspector Tamar Kaldani in an e-mail interview.

"The private sector processes a high volume of personal data and therefore they constitute important major data controllers and processors. At the current stage, general public awareness as well as awareness of organizations toward data protection related issues is quite low and the Office is concentrated on raising awareness and educating data controllers/processors in this regard".

The law prescribes significant penalties for noncompliance with the personal data protection rules ranging from 100 Lari to 10,000 Lari for each individual case. Breach of these rules might also lead to serious harm for a company's reputation.

Direct Marketing

The law provides special regulations for direct marketing, which is defined as offering products, service or employment by means of mail, telephone call, e-mail or other means of telecommunication. Personal data can be processed for purposes of direct marketing if the data is received from public sources (e.g. public directories) or if individual's explicit consent exists.

Several Georgian companies do not seem to comply with the direct marketing rules set by the law. People having Georgian phone numbers receive numerous advertising spam SMS messages from the companies they have never done business with. The practice has been controversial; Transparency International Georgia launched anti-spam SMS campaign by naming and shaming the companies that violate the direct marketing rules and send out unsolicited mobile ads.

The Personal Data Protection Inspector's office is working on legal amendments which will introduce certain additional anti-spam regulations that would restrict unsolicited SMS flows and provide an easier opt-out mechanism. According to the amendments, a person receiving unsolicited mobile or e-mail ads will be able to reply and request the sender to discontinue processing of personal data for direct marketing purposes. In contrast, current regulations provide that a written request must be submitted to the data processor if a person does not want to receive the direct marketing messages.

Transfer Outside of Georgia

According to the law, the transfer of personal data outside of Georgia is allowed if adequate safeguards for the protection of data are ensured in the state concerned. The Inspector's Office has not yet determined the list of countries providing adequate protection. The EU maintains a "white list" of countries where personal data can be transferred without any further safeguards.

Transfer of personal data to another state is also possible with Inspector's prior approval, if the transferor provides adequate safeguards for data protection on the basis of an agreement concluded with the recipient of the personal data. The Inspector's Office has already issued instructions prescribing the procedure for getting permission to transfer the personal data abroad, which might take up to thirty days. Getting the specific approval for each particular transfer might become burdensome for international companies operating in Georgia that exchange information on an everyday basis with head office or parent company located abroad. Therefore, it would be desirable for the Inspector's Office to elaborate an authorization procedure for binding corporate rules to govern the transfer of personal data within a corporate group and adopt standard contractual clauses for the transfer outside of the group. Such options are widely used abroad, including in EU countries.

The Way Forward

According to Inspector's office, several amendments to the Georgian personal data protection regime are currently at the drafting stage and will be introduced later this year.

"The amendments aim to enhance the current regulations and reduce ambiguities in the law. For example, the range of sensitive personal data will be enlarged; provisions related to direct marketing will be enhanced and regulations on video surveillance in public transportation means will be added, etc.," Kaldani stated in an e-mail interview.

"The amendments provide for the full enactment of the Law on Personal Data Protection in 2014/2015 instead of 2016 and also foresee increased sanctions for some significant violations of the Law on Personal Data Protection."

The Georgian personal data protection regime shall provide a framework to process personal data in a manner that balances both the right of individuals to protect their personal data and the need to process the personal data for legitimate and reasonable purposes. Depending on the type of the organization, complying with the data protection rules can be costly and tedious. The law restricts excessive and unnecessary collection of an individual's personal data by public and private entities and prescribes various rules. Companies will have to change existing data processing practices to comply with these requirements.

Giorgi Narmania is a lawyer and tax specialist. He holds an Adjunct Lecturer position at Ilia State University. Giorgi Narmania graduated from Tbilisi State University with a Bachelor of Laws Degree and received his LL.M. in Commercial Law from Erasmus University Rotterdam. If you have questions about the Georgian Personal Data Protection regime or would like to provide feedback, contact: giorgi.narmania@gmail.com