Today, the Georgian Parliament discusses Draft Amendments to the Law of Georgia on Information Security, initiated by MP Irakli Sesiashvili for second reading. Civil society organizations issued a statement concerning the problematic issues in the proposed version of the amendments as soon as the bill was initiated. In particular, experts and representatives of non-governmental sector believe that the proposed bill: A) creates a system that does not ensure the effectiveness of information security at the state level; B) contains risk of a total control of the information systems and/or personal and commercial data contained in them; C) is against the norms of the Georgian Constitution and its international obligations.
According to the suggested amendments, information security management function will be transferred from the Data Exchange Agency (DEA) to the State Security Service (SSSG) LEPL Operational-Technical Agency (OTA). Given the vague nature of the SSSG, moreover, the State Security Service being a law enforcement agency, the presented amendments increase uncontrollable power of the Service, while the vague explanations offered in the package of amendments raise the risk of a broad interpretation of the norms by the SSSG.
It should be emphasized that the opinions expressed by the non-governmental sector in the framework of the committee hearings held during the first reading of the amendments were not actually reflected in the proposed draft. The recommendations considered by the initiators include narrowing the scope of several terms, while substantial and principle issues remain a challenge.
Adoption of the proposed version of the draft amendments provide legal leverage to the State Security Service to obtain access to the information assets of the executive, legislative, judicial authorities and private sector stakeholders without any public scrutiny.
One of the major challenges concerning grouping of the Subjects of Critical Information Infrastructure remained unchanged through the second reading of the draft law. In particular, amendments suggest division of critical information subjects into 3 tiers:
- The subjects of the first category include state institutions, legal entities of public law and state enterprises;
- Electronic communication companies will be included in the second category of subjects;
- Third category covers legal entities of private law, such as banks and financial institutions.
The proposed regulation enables OTA to have access to the information infrastructure, systems and assets of the objects of critical information infrastructure falling under tier I, as OTA will be granted the authority to manage the sensors and monitors installed at these institutions, in order to identify relevant computer security incidents. The definition of the subjects of critical infrastructure falling under Tier 1 and Tier 2, covering private sector representatives still remains a problem to be solved. Particularly challenging is sub-paragraph “G2” of Article 1 of the draft law, spreading regulation on the electronic communication companies, falling under the scope of the Law of Georgia on Electronic Communications.
Since the first reading, the draft law reflected the recommendations of IDFI and other organizations to some extent, regarding the rules of carrying out audit by the Subjects of Critical Information Infrastructure falling under second and third categories, which should be considered positively. In particular, according to the currently proposed version, the authority to conduct primary and periodic information security audits of the subjects of critical information system of third category remains with the organizations authorized by the Data Exchange Agency or the Data Exchange Agency itself. Moreover, the obligation of the objects of critical information infrastructure falling under tier 2 or 3 to submit audit reports prepared by DEA or other entities authorized by DEA to OTA has been replaced by the rule to deliver one copy of the audit or penetration test report In accordance with the categorization, to the Operational-Technical Agency or the Data Exchange Agency.
We again reiterate our expectations that identifying external as well as internal risks in the field of cyber security and taking relevant security measures from the state has utmost importance. However, the focus needs to be made on the nature of public administration systems and accountability mechanisms in the Georgian reality. The potential increase of the powers of the security sector without strict regulation, includes the increased risks of state intervention in the area protected by fundamental rights.
The draft bill, by its very nature and the regulations introduced, contradicts EU regulations, the obligations taken under the Association Agreement and the requirements of the GDPR in terms of the procedures for processing personal data. Ensuring compliance with the above-mentioned regulations has not been taken into account and for this purpose no measures have been taken in the process of drafting the amendments so far.
Accordingly, the Law of Georgia on Information Security needs to be revised and amended, especially in the area of refinement of enforcement mechanisms. Based on the above, we once again call on The Parliament of Georgia to:
1. Turn down the draft amendments to the Law of Georgia on Information Security;
2. Start reforming the Cybersecurity System of Georgia only after the National Cybersecurity Strategy and Action Plan are adopted;
3. Ensure the active participation of all relevant stakeholders, including the representatives of local and international organizations as well as the private sector in the process of preparing draft amendments to the Law of Georgia on Information Security.
Institute for Development of Freedom of Information (IDFI)
Media Development Fund (MDF)
Human Rights Education and Monitoring Canter (EMC)
Georgian Young Lawyers Association (GYLA)
Small and Medium Telecom Operators Association of Georgia
Liberal Academy Tbilisi
Georgian Charter of Journalistic Ethics