DRI on the amendments to the Law of Georgia on Information Security
By Khatia Bzhalava
Tuesday, September 22
Democracy Research Institute publishes a statement responding to the amendments to the Law of Georgia on Information Security and believes that the law uncontrollably increases the powers of the State Security Service and its operative-technical agency, a legal entity of public law, "which may lead to the total control of state bodies, local self-governments, judicial and legislative branches of government, electronic communications companies."
The statement reads that the proposed amendments immeasurably increases the circle of state and private sectors, which fall within the scope of the law. According to the draft law, "the list of critical information system subjects and the criticality classification for the respective subjects shall be approved by an ordinance of the Government of Georgia."
As the statement reads, when the legislative definition of critical information subjects is notably general and clear criteria for criticality classification does not exist, there is a real risk of abuse of power and arbitrariness.
According to the statement, the spread of practically indefinite control of the executive government over the information systems and information assets of local self-governments, courts, and parliament is also an equally important issue.
“The agency is granted the right to uncontrolled inspection of information assets on the ground of inspection of information-technological infrastructure… Therefore, in the absence of proper control mechanisms over the State Security Service and its subordinate operative-technical agency, the risks of uncontrolled access to personal communication, records, and personal information of the people employed in these institutions increase,” reads the statement.
DRI reports that the appointment of information security managers to all critical information entities is required according to the draft law. In particular, information security managers may be defined as persons who have access to state secrets. The statement notes that according to the Law of Georgia on State Secrets, the decision on access to the information is made based on the consent of the eligible subdivision of the State Security Service of Georgia.
The statement reads that the mentioned regulation enables The State Security Service to solely establish the list of persons who, in turn, will later define whether the agency should have access to the subject’s information asset, incase alleged information security incident occurs.
DRI finds it uncertain why three different bodies are equipped with a similar mandate to achieve the same goal, which, according to the institute, may cause irrational spending of state resources.
Democracy Research Institute believes that the amendments to the Law of Georgia on Information Security include the risks of total control and mass violation of human rights. DRI also remarks that the amendments grant the State Security Service an unjustifiably broad mandate to access information assets of private and state agencies.