European Approach to the Regulation of Personal Data Processing during a State of Emergency
Alexey Muntyan
Co-founder and Member of the Board in the Russian Privacy Professionals Association - RPPA.ru
Regulation of various aspects of personal data processing[1] is always of a great importance to any society in terms of protecting national security, public order, and interests of the population during a state of emergency (SoE). The reason for that focus resides in the very nature of a state of emergency, a special legal regime regulating activities of public administration and government, legal entities, institutions, and organizations, which is declared throughout the entire country or in some of its regions to protect against external or internal threats and maintain a public order. Such regime under a state of emergency implies limitations of the rights and freedoms of citizens and legal entities as well as imposition of additional responsibilities thereon.
Speaking of the population’s interests, circulation of data related to the privacy of natural persons (personal and family secrecy) refers to one of the most sensitive spheres, whose protection is subject to limitations during a state of emergency. In other words, a capability of law enforcement agencies to limit the right to the information privacy of people must be balanced with the necessity to honor human rights and freedoms in their fundamental sense. Considering that the practice of the personal data processing regulation originates from Europe where it emerged at the turn of the 60s and 70s of the XX century, and also that the member states of the European Economic Area (EEA) have more than fifty years of experience in the regulation of that sphere, it appears reasonable to study such experience for the potential reception of certain European approaches within the context of the state of emergency imposed within the territory of Kazakhstan in January 2022.
Through the prism of the European law, any operation related to personal data processing must be regulated (including, inter alia, any permission or limitation thereof) by a set of principles enshrined in the respective laws and regulations. In Europe, such fundamental legislative acts are the Convention of the Council of Europe, CETS No.108[2] (the Convention) and GDPR[3]. According to those legislative acts, protection of natural persons in relation to the processing of personal data is a fundamental right. The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. It is noteworthy that provisions of the Convention have the potential to become binding for Kazakhstan, if the country joins the Convention through an appropriate legal procedure (thus, the list of the member states of the Convention already includes the Russian Federation, Ukraine, Moldova, Georgia, Azerbaijan, and Armenia).

[1] Personal Data means any information related to an identified or identifiable individual person (“data subject”).
[2] The Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No.108)
[3] General Data Protection Regulation, GDPR; Regulation of European Union) 2016/679.
Table Principles of Personal Data Processing in the EEA
The Convention
Lawfulness
Fairness and transparency
Limited purposes
Adequacy and no excessiveness in relation to the purposes
Accuracy and up-to-dateness
Limited storage time
-
-
Lawfulness, fairness,
and transparency
Data minimization
Accountability
Safe processing
GDPR
Limited purposes
Accuracy and up-to-dateness
Limited storage time
Article 9 of the Convention envisages the following circumstances when derogation from the personal data processing principles and limitations of basic rights and freedoms of data subjects may be allowed:
a) protection of the national security, defense, public order, important economic and financial interests of the state, and impartiality and independence of the judicial system; prevention, investigation and prosecution of criminal offences as well as enforcement of criminal law punishments; and other most critical purposes related to the protection of the population’s interests;
b) protection of the data subject or the rights and fundamental freedoms of others, in particular, of the freedom to opinion and expression.
However, this must stay in accord with the essence of the basic rights and freedoms, while the necessity and proportionality of such restrictive measures to be introduced in a democratic society must be justified.
The above-said approach is implemented in the course of the regular policy-making of the authorities within the Council of Europe. Thus, according to the Guidelines on Facial Recognition (T-PD(2020)03rev4) adopted by the Consultative Committee of the Convention on January 28, 2021, the legitimacy of the use of facial recognition technologies, including under a state of emergency, must be based on the biometric processing purposes stipulated by law as well as on necessary safeguards to supplement the Convention. Laws can provide different necessity and proportionality tests depending on whether the purpose is verification or identification, considering the potential risks to fundamental rights and as long as individuals' images are lawfully collected. For identification purposes, the strict necessity and proportionality must be observed both in the setting-up of the database (watchlist) and deployment of (live) facial recognition technologies in an uncontrolled environment. Ensuring security in controlled or uncontrolled environments, including schools or other public buildings, should not be considered strictly necessary and proportionate where less intrusive alternative mechanisms exist.
The similar position is held by two agencies of the European Union, which on June 21, 2021, called for ban on the use of artificial intellect (AI) for facial recognition and other methods of identification of people in public areas. Prior to that, the European Commission had proposed to introduce harsh measures on the use of AI in that sphere, rather than totally ban it. As declared in the joint opinion of Andrea Jelinek and Wojciech Wiewiórowski, the Heads of the European Data Protection Board, EDPB, and European Data Protection Supervisor, EDPS, respectively: “A general ban on the use of facial recognition in publicly accessible areas is the necessary starting point if we want to preserve our freedoms and create a human-centric legal framework for AI”. They called to ban on the use of individual recognition systems in publicly accessible spaces – such as of faces, gait, voice, fingertips, DNA and other biometric or behavioral signals.
The government of Kazakhstan may be recommended to study the mechanism of control over restrictions of basic rights and freedoms of data subjects set forth in article 23 of GDPR, where it provides for the mandatory presence of a legislative act to impose restrictions with regard to fundamental rights and freedoms of data subjects (including during a state of emergency), and also requires that such legislative act must contain special provisions on:
(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller[4] or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects;
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

[4] Any natural person or legal entity, public authority, agency or other body, which, alone or jointly with others, determines the purposes and the means of the processing of personal data.
Although at present Europe lacks relevant experience of imposing a state of emergency, it would be useful to refer to the law-application and judicial practices of the European Economic Area in respect of exercising control over basic rights and freedoms of data subjects as a whole.
An illustrative example would be an EDPS order filed to Europol in January 2022 to erase within 1-year data concerning individuals with no established link to a criminal activity. The reason is the overall volume of data kept in Europol’s databases, which is approximately estimated to be 4 petabytes. At the very least, the databases contain the information on the quarter of million suspects of terroristic activities and severe crimes, along with the information on other persons related to the suspects.

:
Those data were obtained from various law enforcement agencies of EU countries. Personal data were often stored and processed with no adequate grounds for that. As a result, EU residents could be mistakenly associated with criminal offences. At least some part of the database of Europol consists of the data on the persons who are neither ‘suspects’, nor ‘potential future criminals, nor ‘persons in contact or in relation with criminals’, nor ‘victims’, nor ‘witnesses’, nor ‘informants’.
In its turn, the Court of Justice of the European Union (CJEU) rendered a number of headline-making decisions to limit capabilities of law enforcement authorities and security agencies on the matters related to the processing of personal data of individual persons.
Thus, in October 2020 the court ruled[5] that unrestrained mass-scale surveillance of telephone and the Internet data was illegal and that it was necessary to limit authorities of the security services in France and other EU states. The court held that the general and indiscriminate retention of such data may be allowed when the governments face “a serious threat to national security” only. In that context, full access to the data of telephone and the Internet users may be provided during a limited period only as is “strictly necessary”. The ruling of the court also permitted collection and retention of IP-addresses within the same boundaries limited to “what is strictly necessary”. According to Court of Justice of the European Union, national courts must not take into consideration any information collected by the government in violation of the principles enshrined in the said ruling.
In March 2021, Court of Justice of the European Union declared[6] that access to the location data obtained from electronic communications may be used by law enforcement agencies only when investigating severe crimes and also to “prevent serious threats to public security”. According to the court, the EU law prevails over any national legislation that empowers public prosecution offices to access such data during criminal proceedings.
General conclusions (recommendations) on the approach practiced in the Republic of Kazakhstan to regulate the legal regime during a state of emergency. These conclusions (recommendations) are based on the review of the European experience in exercising control over limitations of basic rights and freedoms of data subjects:
1. To honor the essence of the basic rights and freedoms and to justify the necessity and proportionality of such restrictive measures to be applied in a democratic society;
2. To adopt relevant legislative acts on establishing the proportionality of such limitations with regard to the basic rights and freedoms of data subjects (including situations when a state of emergency is introduced);
3. To provide data subjects with the well-timed information on the character and details of the limitations affecting their basic rights and freedoms (insofar it does not jeopardize the purposes of the limitation);
4. To ensure supervision, which must be effective and not dependent on the government, to protect rights of data subjects and judicial system to ensure that law enforcement authorities and security services observe basic rights and freedoms of natural persons during a state of emergency.

[5] Judgments in Case C-623/17, Privacy International, and in Joined Cases C-511/18, La Quadrature du Net and Others, C-512/18, French Data Network and Others, and C-520/18, Ordre des barreaux francophones et germanophone and Others
[6] Judgment in Case C-746/18 H. K. v Prokuratuur