President of the Personal Data Protection Service of Georgia;
Professor at Ivane Javakhishvili Tbilisi State University;
Visiting Professor at the Autonomous University of Barcelona.
Q1. Can you give us a brief history of Georgia´s Data Protection Law?
In Georgia, personal data protection is regulated by an overarching legislative act – Law of Georgia on Persona Data Protection, which was enacted in 2011. The Law regulates the processing of personal data by public, private institutions, and law enforcement bodies. In general, the Georgian model of personal data protection legislation is similar to the European one, where the domestic and international regulations envisage the functioning of the law applicable to all sectors under the so-called “umbrella” legislation. Furthermore, Georgia is a party to CoE “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”, also, to an “Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows”.
In 2022, the Personal Data Protection Service of Georgia conducted further research to examine the compliance of the Draft Law on Personal Data Protection with the international standards and guidelines in contemporary data protection and privacy. Just recently, in June, the Parliament of Georgia adopted it, which contributes to fulfilling Georgia’s international obligations and brings the existing legislation in the field of personal data protection closer to European standards.
In a nutshell, the adopted new law significantly enhances the rights of data subjects and expands guarantees for their protection. Important changes concern the rules of data processing for direct marketing purposes. The legal norms related to audio monitoring and the processing of the personal data of minors are introduced. Also, the data processing of deceased individuals is regulated in a new manner. Additionally, the new law ensures the prioritization of greater data protection as the default method before considering an alternative approach when creating a new product or service (data protection by design and by default). Besides, a significant novelty is that the new law introduces the institute of Personal Data Protection Officer, who should be appointed or designated by public institutions, insurance organizations, commercial banks, microfinance organizations, credit bureaus, electronic communication companies, airlines, airports, medical institutions, and by any person responsible for data processing or authorized for processing a large amount of data or implementing systematic and large-scale monitoring of data subjects’ behaviour. Furthermore, the new law also requires the prior assessment of the impact of data processing, should there be a high probability of a threat to fundamental human rights and freedoms, taking into account new technologies, data categories, scope, purposes, and means of data processing. It is worthwhile that the new law obliges the person responsible for data processing to notify the Personal Data Protection Service of Georgia of any incidents. Additionally, the introduced legal novelties concern the increased amount of administrative fines for violation of data protection legislation. The non-compliance with the legal requirement of the Service is now envisaged as a new offence, which is punishable by a fine. It is noteworthy that most of the obligations and legal novelties stipulated by the law will enter into force from March 1 of next year. In contrast, particular provisions such as Data Protection Impact Assessment, Personal Data Protection Officer and corresponding norms of administrative sanctions related to those obligations, will come into effect from June 1 of the following year.
It can be indeed said that a new era of personal data protection is beginning in Georgia, which will help the Personal Data Protection Service of Georgia to continue and strengthen personal data protection in the country based on European values. I would like to express my gratitude to everyone whose involvement made it possible to adopt mentioned new law.
Q2. How does Georgia work with international instances to ensure the data of her citizens is protected?
The Personal Data Protection Service of Georgia actively participates in international formats, and bilateral or multilateral meetings on behalf of Georgia, including the sittings and working groups operating in the field of personal data protection.
First of all, I would like to highlight the recent achievement of our Service. Recently, the European Data Protection Board (EDPB) members decided to accept the request of the Georgian data protection authority to become an observer to EDPB’s activities. The Board has taken note of the information provided on the PDPS and the Georgian law on the protection of personal data. The EDPB Secretariat has also consulted the European Commission to ensure homogeneity with the European Institutions, and the request has been evaluated by the EDPB members in the plenary meeting. Indeed, it is a significant milestone in the history of Georgian personal data protection law and, over the course of the existence of its supervisory authority to the extent that it further ensures the compliance of the activity of our Authority with European standards. To this end, I would like to thank our counterparts for their support and cooperation.
The Service is represented at the plenary meeting of the Consultative Committee established under the CoE “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”. The Service is an accredited member of the Global Privacy Assembly, a participant in the GPA Global Cross Border Enforcement Cooperation Arrangement (GCBECA), a Co-chair of the Data Protection Metrics Working Group, and a member of the several GPA working groups, in the scope of which we have excellent cooperation with the counterpart data protection authorities. The Service is also an accredited member of the European Conference of Data Protection Authorities, the so-called “Spring Conference”. We are a member of the Conference steering group, which is membered by the representatives from data protection supervisory authorities of Bulgaria, Cyprus, Hungary, Iceland, Latvia, Switzerland and the United Kingdom, who decided to select the Service as the coordinator of the working group. Last year, at the panel session of the 30th Spring Conference, I was honoured to give a speech regarding the mandate of our Authority and its strategy with respect to international cooperation. This year, at the 31st Spring Conference, I was delighted to chair and moderate one of the panels on judgement and decisions of the European Court of Human Rights and the Court of Justice of the European Union.
Moreover, the Georgian data protection authority is a member of the Global Privacy Enforcement Network (GPEN), the International Working Group on Data Protection in Telecommunications (IWGDPT) and the Central and Eastern European Personal Data Protection Authorities (CEEDPA), the 22nd annual conference of which we are pleased to host in next year. Since last year, the Service has held observer status at the International Conference of Information Commissioners (ICIC). Additionally, since December 2022, the Service has been represented by the delegate in the CoE Committee on Artificial Intelligence (CAI). Furthermore, this year, I was delighted to participate in the Privacy Symposium in Venice and gave a talk about the national legislation on personal data protection and the draft law; the international relations, as well as the international networks and platforms in which the Service actively participates.
Over the course of its existence, the Personal Data Protection Service of Georgia has established remarkable cooperation with the foreign counterpart data protection authorities. In 2022, Memorandums of Understanding, which aim to share the best practice and support other initiatives for continued cooperation, were concluded with the Croatian and Italian data protection authorities. Moreover, last year, in cooperation with our German colleagues, the Technical Assistance and Information Exchange (TAIEX) instrument of the European Commission was implemented, which aimed at sharing the best practice on inspection methodology in the field of data protection.
It is remarkable that last year, we hosted the European Case Handling Workshop (ECHW), which was participated by 50 delegates from the personal data protection authorities of 26 European countries. More than 25 speakers from 16 countries, including the representatives of the European Data Protection Supervisor (EDPS) and the International Committee of the Red Cross (ICRC) shared their practice and experience in the field of data protection.
We are committed to collaborating with our international partners to ensure the highest standards of data protection. From time to time, we host international conferences which are aimed at sharing the best practice and experience. For example, on March 1, the Service held an international scientific conference call – “The State of Personal Data Protection and its Legal Aspects in Georgia”, by which our Authority celebrated its establishment anniversary. The Conference was participated by the representatives of the judicial corps, academic circle, legal practitioners and was contributed by Mr. Leonardo Cervera-Navas — Director of the Office of the European Data Protection Supervisor (EDPS), as a special guest.
Q3. Tell us about your Authority’s most innovative initiatives.
The mission of our Authority is to advance a culture of respect for private life, raise public awareness, and uphold European standards for the protection of human rights and fundamental freedoms. To this end, we try to be innovative in our approach to cooperate with our stakeholders and enhance the state of data protection in the country. With the aim of advancing the effective application of the supervisory functions, last year, a branch office of our Authority was established in Batumi city and recently, a new unit — the Department of Planned Inspections, was created within the organizational structure of the Service.
I could furthermore mention some of the other initiatives. In 2022, in celebration of the 4th anniversary of the application of the “General Data Protection Regulation”, the “Journal of Personal Data Protection Law” was established as a bilingual, international scientific publication of the Service. It is intended to serve as a platform for legal experts, scholars, and practitioners to share their knowledge, research, and insights on personal data protection laws. The Journal aims to provide a legal analysis of pressing issues, highlight the best practices and raise public awareness. The Journal operates under the guidance of the international Editorial Board, which is membered by professors from Georgian and European universities, scientist-researchers of public law. The first issue of the Journal was published this year and was dedicated to International Data Protection Day.
Moreover, just recently, we launched the “Newsletter” series, which is issued once in four months and aims to cover the most profound activities of our Authority along with other trends of data protection and privacy.
Since last year, the Service has been holding public lectures and conducting a series of regional meetings with an aim to raise awareness towards personal data protection. To this end, we have also been running awareness-oriented public campaigns, such as #MakeaHabit Personal Data Protection, which lasted for a month and entailed the publication of illustrated cards giving significant advice with respect to data protection and privacy. Moreover, we also hold awareness-raising events for the children. Last year, the Service announced a blog contest for school students on the topic: “My Personal Data and Eyes Wide Open”. Additionally, this year, the Service collaborated with the Faculty of Law of Ivane Javakhishvili Tbilisi State University regarding a clinical legal education that provides Master’s program students with an understanding of the skills required for legal practice in the field of data protection and privacy.
Q4. Tell us about your experience as a GPA member.
As a GPA member, the Personal Data Protection Service of Georgia has advanced and fostered cooperation with its counterpart data protection authorities. The Assembly has provided us with a significant opportunity to contribute to the development of global data protection standards through knowledge-sharing and engaging in thematic discussions. As a member, the Service has gained access to worthwhile resources and knowledge from other GPA members. This has allowed our Authority to stay up to date with the latest trends and best practices in the field of data protection and privacy.
As we live in a data-driven age and in the era of increased technological progress where the protection of human rights and freedoms is of utmost importance, I am confident that data protection authorities stand united in dealing with emerging challenges. That again emphasizes the importance of international platforms that help the data protection authorities to improve their strategy policy of activities and implement the best standards for tackling common challenges. So, we are more than thankful for this opportunity and remain committed to the objectives and strategic goals of the GPA.