Public Service Regulation Commission (PSRC) recently circulated draft decision on Approval of Standards for Archives Stored by the Electronic Communication Service Providers. If adopted the decision would require all Internet service providers to collect and store for two years certain data of Internet service subscribers. Such data includes user identification data, i.e. full name, network login and passwords, user’s device identification data such as IMSI and IMEI, as well as Internet session records, duration, IP addresses and email address, time and date of email communication.
The review of the draft decision based on the RA legislation and international practices suggests that it does not correspond to the constitutional and law requirements on personal data protection of Armenia.
The draft decision circulated by PSRC will actually oblige Internet service providers to collect users' personal data, which according to the Law on Personal Data Protection, could be done only in case of their consent or in cases directly prescribed by the law (Article 8). According to the definition provided under the Law on Personal Data Protection “personal data is any kind of data which makes possible directly or indirectly identify an individual”.
It is worth to note that the Law on Personal Data Protection specifically emphasizes data indirectly identifying a person must be considered as personal data and treated accordingly. The IP address assigned to the internet subscriber, which allows identifying certain data about the person and the device number, can be used for identification of the person’s location, as well.
The law of Armenia does not allow collecting and storing personal data, such as emails addresses. Moreover, Article 26 of the Law on Operative Search Activities states that IP address and internet user/subscriber’s name or user ID are equalized to telephone conversations and (per Article 32) can be controlled based on the court decision.
The information about a subscriber, who seeks information or visits a website, such as beginning and end of Internet service, may definitely be considered an issue of private and family life. The right to inviolability of private and family life is protected by Article 31 of the RA Constitution and may be restricted only by law.
Our main concern is that the regulatory authority created for purely implementation of sectoral administration has reserved itself a norm restricting the rights of citizens not prescribed by the law. In fact, there is a precedent when any sectoral regulator can violate human rights and fundamental freedoms.
We consider this draft decision to be an act of arbitrariness, and we demand to denounce it immediately as an illegal and unconstitutional act.
Open Society Foundations – Armenia
Helsinki Citizens' Assembly Vanadzor
Transparency International Anticorruption Center
Journalists’ Club “Asparez”
Public Journalism Club
Committee to Protect Freedom of Expression
Ani Armenian Research Center