Is personal data protected in Georgia?

The new law on Personal Data Protection and perspectives of its adoption

In the modern world, taking into consideration the rapid development of information technologies, social networks, and various cyber systems, the protection of personal data is becoming more and more urgent. In the case of our country, besides, there is an ongoing process of Association with the EU, according to which Georgia has to improve the data protection practice and harmonize its legislation with the EU legislation. On these crucial issues, we talked with the director of SCO/NGO Innovations and Reforms Center, Mr. Giorgi Gabrielashvili

- Giorgi, your organization, is working on personal data protection for a long time now. On the 25th of June, you hosted an online event ‘GDPR and Georgian legislation,’ which was dedicated to the new draft law on personal data protection. Could you tell us why this draft law is important?

- Thank you very much for taking interest in this field. Personal data protection is a very important issue, but, unfortunately, in Georgia do not fully understand the importance of the issue and underestimate risks derived from improper processing of data. So, consequently, organizations act superficially. The fact is that improper processing of personal data and its consequences are often invisible until it causes significant damage for a person or the whole society.

In Georgia, Personal data protection as an independent regulatory field became important only in 2009-2011, approximately 40 years later than in Europe. The adoption of the law on personal data protection was mainly driven by obligations in the process of integration with the EU, and the named law was more or less in accordance with then acting EU directive.

Two years ago, in Europe, the reality was changed. On May 25, 2018, new General Data Protection Regulation - GDPR entered into force, which established new standards of data protection. GDPR is also very important as it has binding legal force throughout every Member State and has exterritorial scope, which means that it affects those Georgian companies who offer services to European customers or process their data. 

With GDPR entering into force gaps of Georgian legislation became more vivid. If we could say that the law of Georgia on Personal Data Protection was meeting at least minimal requirements, raising data protection standards in the EU made obvious the need for amendments. Last year State Inspector’s Office (former Office of Personal Data Protection Inspector) drafted a new law that is initiated in the Parliament of Georgia.

- How would you evaluate the draft law? What are the main challenges today in Georgia in the field of personal data protection, which should be addressed by the new law?

- Offered draft in really progressive and, in general, could be evaluated positively. It covers novelties offered by new European legislative instruments and essential organizational and technical measures for ensuring data protection. However, in-depth analysis of the draft leaves room for critical remarks and some important gaps remain. Our organization (Innovations and Reforms Center) has published well-founded observations and submitted them to the Parliament. 

It is important to note that in Georgia's existing public and private services, business models, databases are designed without taking into consideration the core and principles of data protection. When those systems were designed even the law on personal data protection did not exist and because of different historical or political reasons, data protection was not an issue at all. So, there is no culture of protecting personal data on one hand, and changing existing systems is expensive on the other. Consequently, there is no motivation for implementing new standards of data protection neither in public nor in the private sector. Taking into consideration given reality, the new law needs to address all those issues so sensitive in terms of data protection

For instance, the draft law offers important technical measures for protecting personal data as Privacy by Design and by Default, Data Protection Impact Assessment (DPIA). We believe that for these measures to work and accomplish their goal to become real tools for data protection it is important to define concrete means and scope (for which organizations and processes are these measures required), as well as the future law, must be in more compliance with the GDPR.

It is also very important to mention financial sanctions. Amounts offered by the draft law cannot even be taken seriously. In the given situation when Georgian companies and organizations do not have a high culture of data protection and awareness in the society is very low, for business, there is only financial motivation to comply with the requirements of the law. Nowadays we all agree that existing sanctions beginning from GEL 100 to GEL 10000 are not efficient at all. GDPR sets forth fines of up to 20 million euros, or up to 4% of the company’s entire global turnover of the preceding fiscal year, whichever is higher. In this light, fines offered by the draft law – minimal GEL 1000 to GEL 10000 or 20000 in case of repetition, will not serve as an efficient motivator for meeting the requirements of the law. Of course, taking into consideration Georgian reality the amount of the fines/sanctions cannot equal GDPR sanctions and Georgian companies cannot pay millions, but those fines must serve at least chilling effect or productivity and proportionality of the sanctions will fall under question. 

- Where is the process now?

- The draft law was initiated on May 22, last year, and only the first committee hearing was held since. The process is suspended for an indefinite time. Despite repeated communication with the Committee on Human Rights and Civil Integration, we have no clear answers regarding the timeline of the process. Of course, we understand ongoing processes, parliamentary work was not going in its usual way and COVID 19 pandemic has stopped the case. But still, during this period Parliament of Georgia managed to discuss and adopt several non-vital laws, the legislative process was not stopped in the country, so it was possible to adopt the law on personal data protection. This topic is of high importance as the adoption of the law will serve compliance of Georgian legislation with European standards and soon the possibility of making a decision by EU about free movement of personal data with Georgia might raise. 

Whether Georgian private and public sector is ready to meet requirements foreseen by new draft law we asked the representative of Privacy Logic Group, Anna Kapanadze

- Anna, your company is specialized in Personal Data Protection and you work with different companies and organizations and provide consultations on the topic. Are Georgian public and private sector ready for the changes in the field of data protection?

- Georgia has no long-standing culture and tradition of personal data protection, which is revealed in the attitude of companies as well. For public organizations and private companies to take the topic seriously and fundamentally reconsider their approaches, redesign new business processes, and change existing malfunctioning practices, it is crucial to have very clear and high standards and relevant motivation, which can be expressed in both financial and reputational sanctions.

Expectations for the new law are very high; many of our clients express their interest and plan corresponding changes. But the waiting time is too long by now, and I hope at least by the end of the year we will have a new law on Personal Data Protection.