NGOs Claim Information Security Bill Contradicts Constitution
The draft law on amendments to the Law on Information Security is being discussed in the Parliament of Georgia, which, according to some non-governmental organizations, contradicts the Constitution and contains a number of serious risks.
The NGOs claim that the ineffectiveness of the same law, passed in 2012, to high-profile cyber attacks and modern challenges, makes it clear that an upgrade of the cybersecurity legislation is much needed. However, they stress the bill establishes a system that fails to ensure the effectiveness of state-level information security, contains risks of total control over information systems and personal and commercial information protected therein, and contradicts the norms of the Constitution of Georgia and the country’s international obligations.
The proposed changes prepared by Irakli Sesiashvili, Chairman of Parliament's Defense and Security Committee, fundamentally change the current cybersecurity system in Georgia. According to the draft, LEPL Operational-Technical Agency (OTA) of the State Security Service is to become the main coordinating and supervisory body of information and cybersecurity. The Agency will be entitled to cover the critical infrastructure of both public and private entities. It will be added to the governance pillar of cybersecurity, which will be authorized to supervise relevant institutions, and at the same time cooperate with them.
The non-governmental sector considers that such a centralized and unbalanced system cannot be effective and focused on improvements in this field.
“The State Security Service is a law enforcement agency that, for security purposes, has a direct interest in having maximum access to various information infrastructure and can easily meet this interest if it is equipped with legal mechanisms, in particular the right to issue bylaws,” the statement of the NGOs reads.
Also, according to the draft law, the Data Exchange Agency (DEA), a LEPL of the Ministry of Justice, will be responsible for exercising its power in coordination with the LEPL of the State Security Service- OTA.
The draft amendments suggest a three-tier categorization for objects of critical information infrastructure:
1. State agencies, institutions, LEPLs (other than religious organizations) and state enterprises;
2. Electronic communication companies;
3. Banks, financial institutions and other entities of private law.
The NGOs say that the rights and responsibilities of DEA are unbalanced and incompatible.
“The risk of gross and unjustified interference in the management of information systems by private organizations appears. In addition, if banks are considered as a critical information system subject to the data exchange agency, DEA and the National Bank will be two different bureaucracies with duplicate functions,” the organizations said.
The statement also reads that OTA will have direct access to the information systems of the legislative, executive or judicial authorities, individual public agencies, including the Central Election Commission, as well as the National Bank and the telecommunications sector, and therefore indirect access to the personal and commercial information protected in the systems.
“The bill creates the possibility of processing personal data without the permission of the court, while the ambiguity of the norms creates the real danger of inappropriate and disproportionate processing of personal data,” the NGOs added.
The third sector believes that in addition to the risk of unjustified interference and surveillance in private life, the bill does not comply with the Constitution of Georgia, as there is a risk of violating the privacy of individuals.
The statement also notes that the draft law does not comply with a number of principles of the European directive on high standards of network and information systems security, which are obligatory for Georgia under the Association Agreement with the European Union.
The NGOs believe that a management model should be developed to ensure the transparency and effectiveness of the information security system, which requires:
• The involvement of all stakeholders in the process of preparation of amendments to the Law on Information Security;
• Harmonizing the bill with the National Cyber Security Strategy and Action Plan;
• Studying the experience of European countries in order to adapt best practice to the reality of Georgia.
The organizations call on the Parliament Speaker to hold a public meeting with the involvement of relevant parliamentary committees, experts in the field and the third sector to discuss in detail the problems associated with the submitted draft law.
By Tea Mariamidze
Image source: 360smartnetworks.com