January, 2010. Bulletin DP@CIS, issue 1. Irakli Sokolovski, Lawyer MKD
It is almost two decades since Georgia has undertaken the revolutionary steps aiming the fundamental reforms of Georgian legislation and its compliance with the newly emerged tendencies. Legislative measures have concerned almost all vital spheres of social, economical and political life. However, the said is not true for the issue of data protection. It seems that business or ethical rationale behind the comprehensive scheme of data protection is not well understood yet in Georgia.
Existing Georgian privacy law
There is little specific privacy law in Georgia. As the country has not enacted the lex specialis legislation on data protection, the issue is mainly dealt in general manner. The Constitution of Georgia refers to the general right of privacy stating that private information of the person shall not be accessible without the consent of such person. Likewise, the Civil Code of Georgia makes no specific mention of privacy only referring to the general notion of non-materials rights of the person and establishing the general right of the person to have access to his/her private data. General regulation of data protection is also envisaged in General Administrative Code of Georgia. However, the latter is only applicable in vertical relationships and may be invoked only in relations of public law kind.
Sector-specific approach to data protection matter can be found in exceptional cases and in statutes such as the Tax Code of Georgia, Law of Georgia on Commercial Banks, Decree of National Commission of Communications of Georgia on Provision of Services and Protection of Consumers’ Rights in the Sphere of Electronic Communications. However, the scope of application of these statutes is very narrow and covers the specific spheres for which these regulations have been enacted. As far as the definition of personal data is concerned, only two statutes provide the specification in this respect. According to General Administrative Code of Georgia personal data (information) means public in-formation allowing identification of a person.
Further Decree of National Commission of Communications of Georgia on Provision of Services and Protection of Consumers’ Rights in the Sphere of Electronic Communications defines private data as information concerning the name of consumer, the address of the technical medium location, telephone number, received services and paid amounts, as well as other information which allows the identification of the consumer.
Consent or notification?
The huge controversy persists concerning preconditions for the disposal of personal data as Georgian legislation does not address this issue in explicit manner. The matter mainly arises upon collection or procession of personal data whereby it shall be ascertained whether con-sent of the concerned person is incumbent or mere notification would suffice for such collection or procession. Only Administrative Code of Georgia explicitly states that in these cases administrative body shall inform concerned person about the objectives and legal grounds for processing personal data. However, as ambit of General Administrative Code is restricted to public law relations, the issue remains unclear for example in labor relations, whereby the collection or disposition with personal data is of the frequent character.
In the absence of clear cut regulation, said matter is scrutinized in the light of general legal principles applicable within the Georgian law. Based on that, it is argued that collecting or processing of personal data can be undertaken only by virtue of the consent given from the concerned individual. This conclusion is particularly due to the principle of “ownership” enjoyed by the individual in relation to his/her private nonmaterial rights (inter alia the personal data), such ownership may be interfered only with the permission of that individual or without such permission based on explicit exemptions foreseen by the legislation.
Moreover, Georgian legislation is uncertain about the specific form of the arrangement envisaging the consent of the individual. It is still ambiguous whether verbal consent or unilateral declaration of the individual would be sufficient for the disposal of personal data. In any case, for the data controller to have “safe harbor” the written arrangement envisaging the consent of the individual is recommended (for example, ad hoc contract envisaging the preliminary unambiguous consent of the party on processing the personal data by the company). Such mechanism accommodates binding force and legal enforceability of disposal with data.
On the other hand, Georgian legislation does not envisage data protection principles to which the data controllers (e. g. employees) shall comply with in order to en-sure that processed, collected or stored data is maintained in safe conditions. Accordingly, the absence of code of conduct for the data controllers entails the potential risk related with the abuse of personal data.
Cross border transfer of personal data
Another issue lacking the express regulation under Georgian law is the cross border transfer of the personal data. In the absence of specific regulation, the consent based system of processing of personal data, as mentioned above, shall be applicable.
However, there is no same provision under the Georgian law as envisaged by EU legislation that transfer of personal data shall be limited to the jurisdictions not providing the “adequate” protection for personal data. Accordingly, the risk of the abuse of personal data exported in countries without “adequate protection” of personal data seems very problematic.
In data protection area the winds of changes are not blowing across and it is unlikely that situation is this respect to be changed in nearest the future. Although certain international projects have been initiated to prompt the adoption of respective legislation, still there is no universal consensus over the need for comprehensive data protection law. The absence of respective legislation has predominantly two-fold impact:
- the privacy rights of the individuals are jeopardized as the current state of legislation is not sufficient to ensure the effective protection of personal data;
- it puts Georgia outside the out-sourcing tendencies, as the latter entails transfer of great quantities of personal data.
Nonexistence of specific laws on data protection matters can pose a major challenge for the multinational companies that manage the human resources where the personal information is transferred cross-border. Particularly, the complication may arise where the export of personal data from EU is at stake, as the latter precludes such transfer if the transferee state does not pro-vide the “adequate” protection for personal data. With regard to the contemporary state, Georgia is not deemed “adequate” by EU.