Court Rules Georgia’s Surveillance Regulation Unconstitutional



Activists hold a poster reading: “Heed our voice – Don’t Eavesdrop on Us”, during a protest rally on the Rustaveli Avenue in Tbilisi on December 19, 2014. Photo: Eana Korbezashvili/Civil.ge

Georgia’s Constitutional Court ruled on April 14 that legislation allowing security agency to have direct, unrestricted access to telecom operators’ networks to monitor communications is unconstitutional.
 
The court has ordered to end this long-standing practice and to replace existing surveillance regulations with the new one before March 31, 2017.

In 2014 Parliament passed package of legislative amendments setting tighter rules for the law enforcement agencies to carry out surveillance activities, including through introduction of higher standards of justification required for security agencies to obtain court warrant on surveillance, as well as through increasing authorities of the personal data protection inspector.

But the key issue, which is in the legislation since 2010 and which allow security agencies to operate so called ‘black box’ spy devices in telecommunications service providers’ networks, remained unchanged.

In an attempt to allay concerns of civil society groups, which at the time were actively campaigning against long-standing problem of illegal surveillance, the government proposed so called “two-key” system. The government-backed package of legislative amendments were adopted – despite opposition from some lawmakers from the ruling coalition – allowing the Interior Ministry (at the time the State Security Service was part of the ministry, but it is a separate agency since last year) to retain direct access to telecom operators’ servers. The same legislation gave the office of personal data protection inspector the right to electronically authorize law enforcement agencies’ lawful interception of communications once there was a relevant court warrant – this system, involving security agency having direct access to telecom operators servers and personal data inspector having power to authorize monitoring is informally called “two-key” model.

But this model has failed to allay rights groups’ concerns who argued that as long as the security agency keeps operating its ‘black box’ spy devices in telecom operators’ networks – actually allowing them unfettered monitoring of communications, the law enforcement agencies can easily circumvent personal data protection inspector and launch unlawful surveillance.

After the legislation was adopted by the Parliament, President Giorgi Margvelashvili vetoed it, but the legislative body overrode the veto.

Public Defender’s Office (PDO) filed a lawsuit in the Constitutional Court requesting revoking these controversial clauses of the legislation in early 2015, arguing that these regulations were violating constitutional right to privacy. In addition, PDO also argued in its complaint that the security agency’s capabilities, allowing them unrestricted access to and collection of communications metadata (the time, length and phone numbers of the calls), was also unconstitutional.

A similar complaint was also lodged with the Constitutional Court by a group of civil society organizations, united in This Affects You campaign against illegal surveillance, in April 2015.

These two separate complaints were subsequently consolidated and the Constitutional Court delivered decision on April 14.

The Constitutional Court said: “The State Security Service possesses technical capabilities for eavesdropping and monitoring online communications, which allow mass (actually unrestricted) collection of personal information in real time.”

“These capabilities are only restricted by technical capacities of the equipment in the possession of the Security Service, which owns, manages and deploys these technical capabilities at communication servers. Although Personal Data Protection Inspector’s authority to issue permission to ‘activate target’ (to authorize eavesdropping) and to inspect the system serves mitigation of threat of unjustified interference in private lives, it still cannot be deemed a sufficient and effective mechanism for external oversight of the system.”

The Constitutional Court also ruled as unconstitutional existing regulations of metadata retention. It said that collection and retention of metadata serve “legitimate purposes” and retention of such data for a “reasonable” period of time does not in itself result into violation of constitution.

“The Court, however, points out that copying and retaining metadata by the very same agency, which itself is carrying out investigation increases threat of power abuse and unjustified restriction of constitutional rights,” it said.

The court said that retention of metadata for 2 years represents “unreasonably lengthy period of time, which results into disproportionate interference into [constitutional] rights.”

The Constitutional Court said that it understands “fundamental legislative amendments, as well as institutional and technical application of the new system”, stemming from this verdict, requires time and for that reason it set March 31, 2017 as the deadline for implementing this decision of the court.

This post is also available in: ქართული (Georgian) Русский (Russian)