Years ago, the issue of personal data in Armenia was not of interest to the general public or the state. The situation is changing over time. Unfortunately, the positive changes towards a more serious approach to this issue are based on negative experiences. Leaks are only increasing and this is finally becoming a concern for people.
Let’s look at only a portion of the leaks during June-July 2020.
June 2: The “Anvil” Facebook page published lists of people killed by the coronavirus.
June 11: The Azerbaijani hacker group, which has been carrying out attacks on Armenian email and social media accounts for years, published more than 3,000 pieces of information on those infected with the coronavirus and those who have had contact with them. Names, birth numbers, addresses, telephone numbers and passport numbers were published.
June 24-26: The same hacker group published data on about 2,000 Armenians. This time without passport data.
July 6: Passport data of several hundred Armenians were published in the Azerbaijani hacker forum. Moreover, these are passport photos, and in some of them people were even photographed with passports. Such images are required, for example, credit or similar organizations, where identity must be verified to ensure that a person does not use another citizen’s passport.
This is one of the examples of a leakage. The personal data section is coveredJuly 7: Azerbaijani hackers published leaflets on Facebook about the inventory of a military unit of the Artsakh Defense Army, which also included information about the car park.
July 30: Data of more than 6,000 Armenians was posted on the Internet including e-mail, telephone number, address, passport number. Most likely, the leak was from the database of one of the bonus cards.
Control and statistics
Armenia has taken an interesting path in terms of personal data. The Law on Personal Data was adopted in 2002 and entered into force in 2003. The adoption of the law and its future life remains far from the consciousness of society, as well as from the functions of the government. Without receiving flesh and blood, the given law remains on paper.
In 2015, the Law on Personal Data Protection was adopted and entered into force. This was already a more or less conscious step by the state. A Personal Data Protection Agency was established, which operates within the system of the Ministry of Justice. The principle of state-public cooperation, which is the basis of the agency, is interesting.
According to the law, “the head of the authorized body for personal data protection is appointed for a term of five years… based on the joint proposals of at least five human rights NGOs.”
The agency is active, represented on social networks, where it provides consultation to citizens.
According to the agency’s report, in 2019, 83 administrative proceedings were initiated in the Personal Data Protection Agency on the basis of citizens’ applications or on the initiative of the agency.
For comparison, since the establishment of the agency in 2015-2018, a total of 67 lawsuits have been initiated, 16 less than in 2019 alone. In 2015, 2 proceedings were initiated, in 2016 – 11 proceedings, in 2017 – 21 proceedings, in 2018 – 33 proceedings.
Crime and punishment
Although the number of proceedings is growing, the reality hardly changes. Here are some key reasons:
a. The fines of 200-500 thousand AMD are very mild for personal data violations. For example, for a personal data processing company, from a purely financial point of view, leaving aside the responsibility of the business, it is theoretically more profitable to pay a fine once than to hire a specialist to pay the equivalent of a fine every month.
b․ Data protection in state institutions should be put on a stronger footing. The agency has created a guide for the processing of personal data by state bodies, but only one guide does not solve the problem. The functions of the agency are not enough to correct the situation in the whole state system and adjacent structures. It is necessary to have a more comprehensive conceptual approach, which implies the introduction of processes at the government level, staff training and control.
c․ Public opinion about personal data, although changing, is doing so very slowly. Especially in this period, when the probability of leaks only increases. And there is mass ignorance about the data of minors. Improving public opinion without public awareness campaigns will be based mainly on negative experiences.
d․ Public awareness also means controlling specific cases, making them public, presenting comprehensible statistics. In addition, the cases that have already taken place are not further analyzed publicly, no conclusion is presented by the relevant bodies as to what was the cause of the leak, what was done to make an exception of it. The public never knows about the culprits, neither the relevant practical conclusions nor the steps aimed at correcting them (if, of course, these things take place).
e․ One of the biggest problems regarding public awareness about accidents is the lack of it. There are countries where the organization is obliged by law to make the incident public if there is a leak.
The logic is very simple: People should be aware that their information is open to the public or in the hands of criminals. In such a case, a person has the opportunity to take measures.
Thus, during the summer alone, there was a leak of passport data of about twenty thousand citizens. But there is no mechanism to inform people about it. In other words, most of them are not even aware that other people can use their data. In recent years, there has been only one case when, after a major outflow, the organization has taken on the responsibility of raising public awareness through the press. It was the leak of the passwords of the users of ABCDomain hosting, after which an announcement was made by the organization. This is a unique positive example.
The simple conclusion of all this is one: If large-scale and multilateral actions are not taken, data leaks will only continue. Or rather, their volumes will increase.
The views expressed in the column are those of the author's and do not necessarily reflect the views of Media.am.