MIRAS — total digital surveillance. Your secrets are no longer yours
Analysis
On November 21, news portals reported on the establishment of a new data collection system to be created by the State Security Service - the Centralized Information and Digital Analytics System (Abbreviated in Azerbaijani as MIRAS – ed.). Even though reports included references to the System's Charter, the document was apparently removed from the President's official website shortly after (the link still displays a 404 error).
Initially, commentator Javid Agha drew attention to this fact. Currently, it is feasible to get acquainted with the Charter at this link. Even though it is noted that the purpose of establishing MIRAS is to increase the effectiveness of the Service's activities, the commentator criticizes that the volume of data to be collected will be contrary to fundamental rights and freedoms.
“Tribunat” analyzed compliance of personal data collection procedure by MIRAS with domestic and international personal data legislation.
According to Article 7 of the Law “On Information, Informatization and Information Protection”, state bodies may participate in the formation of information resources. By Law, upon establishment, state bodies must obtain an opinion on the appropriateness from the Ministry of Digital Development and Transportation. This opinion should take into account technical requirements, as well as international standards and regulatory legal acts of the Republic of Azerbaijan in this area. In addition, the Ministry considers the following criteria:
· purposefulness and significance;
· technical effectiveness;
· economic, social and environmental efficiency;
· compliance with the requirements of regulatory legal acts;
· potential risks and managability;
· usability;
· “Mobile First” principle;
· utilization of open source components;
· possibilities of applying artificial intelligence and machine learning technologies;
· availability of support mechanisms for “open government”.
An imperative requirement for each state information resource is compliance with standards and legislation on the protection of personal data. According to the Rules “On the Formation, Maintenance, Integration and Archiving of State Information Resources and Systems”, the collection and processing of personal data in such information resources and systems must be carried out in accordance with relevant legislation.
According to Article 2.10 of the Rules, except for the cases specified in Article 3.2 of the Law “On Personal Data”, the collection and processing of personal data is allowed following inclusion personal data information systems in the Register. The relevant article of the Law allows the processing of personal data in connection with the implementation of intelligence and counterintelligence, operational-search activities, even if the information resource is not included in the Register, in order to ensure the national security of the Republic of Azerbaijan, as well as the rule of law.
In accordance with the Charter, MIRAS will operate in conjunction with other state information systems. Hence, the System can, if necessary, integrate with the Electronic Government Information System in real time and obtain information available in the electronic systems created by the state. Therefore, the list of information that can be obtained is quite extensive.
Article 5 of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), ratified by Azerbaijan in 2009, sets out principles for automatic personal data processing. These principles include purpose limitation (retained for specified and legitimate purposes and not used in a manner incompatible with those purposes) and data minimisation (adequate, relevant and not used for purposes other than those for which they are retained).
According to the MIRAS Charter, the purpose of the System is to fulfill the obligations of the Service arising from the legislation. Although the powers of the State Security Service are limited to criminal proceedings for violations against public interests by several legislative acts on state security (Laws “On Intelligence and Counterintelligence Activities”, “On Operational-Search Activities”, “On Combating Terrorism”, “On State Secrets”) and the Criminal Code, in reality there are well-founded allegations that the State Security Service operates outside the scope of its authority and in violation of human rights.
For a more comprehensive analysis of MIRAS's activities, it is necessary to align it with the authorities of the State Security Service. Via the information posted on the official website of the institution, the Service “carries out counterintelligence, operational-search and investigative measures to detect, prevent and suppress intelligence, terrorist-sabotage and other disruptive acts that may harm the independence, sovereignty, territorial integrity, constitutional structure, economic, defense, scientific-technical potential and other national interests of the Republic of Azerbaijan”. The Charter of the State Security Service is not available in open information resources; this creates hurdles for a broad analysis and creates an unclear and ambiguous impression in the public about the Service's activities, rights and duties. However, according to paragraph 13 of the Opinion of the European (Venice) Commission for Democracy through Law on Democratic oversight of the Security Services, it is necessary that regulatory acts on internal security are transparent and clear, and their secrecy should be ensured only when absolutely necessary.
One of the vital points that the Charter has made clear is the dissemination of a list of data that the State Security Service can collect and process about citizens. Even though there was no clear legal framework for this procedure previously, the Charter creates a clear impression of the collection and processing of personal data. One of the points criticized is that the list of data that can be collected is too broad. Hence, the data entered and transmitted according to the Charter are as follows:
· Identification data recorded in the identity card and passport of a citizen of the Republic of Azerbaijan (surname, first name, patronymic, date and place of birth, personal identification number (hereinafter - PIN), series and number of the identity card, number of the passport, date of issue and validity period, photograph of the person);
· information on the person's place of residence and registration at the place of stay;
· information on the driver's license;
· information on the vehicle owned (owned, used, leased) by the person (type, make, model, type of vehicle, state registration plate, surname, name, patronymic of the owner, series, number and PIN of the document confirming the identity);
· Information recorded in the identity card issued to a stateless person permanently residing in the Republic of Azerbaijan (surname, first name, patronymic, place and date of birth, PIN, country of origin, series and number of the identity card, date of issue and validity period, place of residence of the person, information on marital status and photograph);
· information on border crossing records of persons and vehicles, restrictions on border crossing;
· information on persons subject to preventive detention, convicted persons, as well as information on the status of the execution of preventive detention and sentences;
· information on the verdict or other final decision of the court;
· information on search and criminal cases concerning persons, payments for the execution of sentences;
· information on the registration of civilian weapons acquired by individuals and legal entities, special permits for the acquisition of civilian weapons, certificates confirming the right to keep and use firearms for hunting or sporting purposes;
· information on the family composition of a person (surname, name, patronymic of family members, date and place of birth, PIN, series and number of the identity card, date of issue and validity period, number of the general passport, date of issue and validity period, photograph of the person);
· information on birth, death, marriage, dissolution of marriage, determination of paternity, nationality;
· information on changed surname, name and patronymic;
· information on notarized powers of attorney;
· information on the acquisition of citizenship of the Republic of Azerbaijan, restoration of citizenship, termination of citizenship of the Republic of Azerbaijan, including renunciation of citizenship of the Republic of Azerbaijan;
· information on the issuance of temporary and permanent residence permits to foreigners and stateless persons in the territory of the Republic of Azerbaijan, as well as work permits for paid labor activities, including work permits issued in the Karabakh and East Zangazur economic regions, extension of the period of temporary stay of foreigners and stateless persons in the Republic of Azerbaijan, as well as registration of these persons at the place of residence;
· Identification information about foreigners and stateless persons who are prohibited from entering the Republic of Azerbaijan and whose departure from the Republic of Azerbaijan is temporarily restricted (surname, name, place and date of birth, citizenship, type, series and number of the document);
· information about the person's military service and place of military registration;
· information about the status of an internally displaced person and refugee;
· information about the status of a martyr or a martyr's family member;
· information on the employment status of the person, including employment contracts concluded in the form of electronic documents, information on the employment status of the Karabakh and East Zangazur economic regions;
· information on the person's receipt of pensions and other social payments;
· information on health status;
· information on registration as a narcological patient or psychiatric registration;
· information on the person's education and state documents on education (surname, name, patronymic of the person, PIN, name of the educational institution where the person studied, graduated, was expelled or reinstated, form of education, series, number, date of issue of the state document on education, specialty according to the state document on education, level of education);
· information on civil servants (information on the civil servant's labor activity, civil service, scientific activity, foreign language skills, conferences, seminars and other events attended by civil servants related to labor (professional) activity, state awards, honorary titles, state prizes, individual awards, disciplinary measures applied in civil service);
· information on subscribers related to the use of electricity, water and natural gas;
· information on the registration of legal entities and individuals engaged in entrepreneurial activity without creating a legal entity as taxpayers, types of activities, addresses of the taxpayer's business entity (facility), legal address and head specified in the documents on state registration of the legal entity;
· information on the registration of religious organizations;
· information on accommodation facilities, tour operators and tour agents providing tourism services, tourist guides;
· initial information transmitted by aircraft operators about passengers and aircraft crew members;
· information on decisions of the State Commission on Radio Frequencies of the Republic of Azerbaijan on the allocation of radio frequencies;
· information on the registration and operation of civil unmanned aerial vehicles (operating permit, operator certificate, pilot (operator) certificate);
· information on personal trips to the Karabakh and East Zangazur economic regions;
· information recorded in real time by video surveillance cameras of the “Safe City” automated management system.
This scope and extent are in conflict with the principles of purpose limitation and data minimization. While Article 9 of Convention 108 allows for “partial derogations” from the aforementioned principles for reasons of state security, such an exception or limitation must meet the criterion of “necessity in a democratic society”.
But how legality of this type of personal data collection and processing – mass surveillance, in fact, can be justified?
The guarantee of Article 8 of the European Convention on Human Rights (respect for private and family life) extends, inter alia, to personal data (M. L. and V. V. v. Germany; §87). According to the Court, where the Government carries out secret surveillance of an individual, the person being monitored may be deprived of the rights set out in Article 8 without having access to a remedy, either at national level or before the Convention institutions, if the person being monitored is not aware of its existence and is unable to challenge the surveillance (Klass and Others v. Germany; §36). There is no unlimited margin of appreciation for governments to subject individuals to secret surveillance (Zoltan Varga v. Slovakia; §151). In such cases, restrictions on the protected rights of individuals must be supported by relevant and adequate evidence and must be proportionate to a legitimate aim (Segerstedt-Wiberg and Others v. Sweden; §88).
Where domestic law does not sufficiently clarify the discretionary powers of the authorities to collect and process personal data in the context of surveillance, this interference with the life of individuals may amount to a violation of Article 8 (Shimovolos v. Russia; §66). In Szabó and Vissy v. Hungary, the Court interpreted the “necessity in a democratic society” standard and stated that, in general, the data collected must be aimed at safeguarding democratic institutions and, in particular, the surveillance must be aimed at obtaining information essential to each operation. Any measure that does not meet these criteria may lead to abuse by the authorities (§§72-73).
From the mentioned cases, it is possible to conclude that the ecosystem created by MIRAS may lead to a violation of the rights of individuals protected by Article 8 of the Convention. Non-compliance with the standards concerns both the set of data to which the System will provide access, as well as the principles of the System's operation. The System allows the state security body to gain access to data that is not clear how it will be useful for its activities (social payments, health status, utility payments, and the like). On the other hand, through MIRAS, the body will have the authority to gain access to such data in real time. This may lead to the collection and processing of data in an individual case without any reasonable justification and to cases of actual secret surveillance.
Another questionable point concerns the compatibility of MIRAS with best practices. Foremost, the architecture of MIRAS is not unique, as many countries are creating data reserves that are collected and processed in the era of digitalization. The tendency for centralization inherent in MIRAS makes it similar to China’s Social Credit or Russia’s SORM systems. The similarity is that systems such as MIRAS provide law enforcement agencies with unhindered access to and processing of personal data in bulk. This leads to violations of the rights of individuals by law enforcement agencies. A more optimal example is the Estonia’s X-Road system. Unlike MIRAS and its analogues, X-Road allows state agencies to process personal data collected in each other's information resources, but does not combine them into a single information resource. Requests for personal data are registered, and each individual has the right to be informed and to dispute this request. Since there is no centralized information resource, this approach creates the opportunity to prevent arbitrary behavior and cybersecurity risks.
The unrestricted collection and processing of personal data by law enforcement agencies leads to cases enducing gross violations of personal rights. Three years ago, the European Data Protection Supervisor ordered Europol, the coordinating body for law enforcement agencies in the European Union, to delete most of its personal data. According to investigations, Europol had been collecting and processing personal data for years, which resulted in abuses against individuals, for the purpose of joint law enforcement activities. Nonetheless, according to the Recommendation of the Committee of Ministers Regulating the Use of Personal Data in the Police Sector, the collection of personal data for law enforcement purposes should be limited to what is necessary to prevent a real threat or a specific crime. Where data about a person are collected and stored without their knowledge, they should, if possible, be informed that this data is being stored, unless the data is deleted. Informing them about it in a short time eliminates the possibility of non-judgment against the object of law enforcement action.
Concerns about the collection and processing of personal data should not be interpreted as unnecessary. The government has repeatedly come under criticism for its illegal interference with personal data for political purposes. From the public release of footage from the apartment of journalist Khadija Ismayil to the use of personal correspondence of figures in investigative materials as part of recent repressions, personal data is used by law enforcement agencies for harassment and intimidation. The most recent case on the agenda and causing great resonance is related to the Pegasus program. In 2021, the Organized Crime and Corruption Reporting Project (OCCRP) announced that the phones of more than 200 individuals, including activists, journalists, and critics, were monitored through the Pegasus program in the country. Even though those whose names were found on the list appealed to law enforcement agencies to investigate the case, they complained that the results were unsatisfactory and that the investigation was not conducted. Individuals dissatisfied with the results of the investigation appealed to the ECtHR for protection of their rights; the complaint is currently at the communication stage, and one of the rights allegedly violated is Article 8 of the Convention.
“Tribunat” concludes that the personal data intended to be collected and processed through MIRAS and the mechanism of operation of the System are not in accordance with local and international legislation on the protection of personal data and contradict good practices. The System leads to the creation of a mechanism of mass and total secret surveillance in the name of protecting the interests of state security. Bearing in mind the precedents on the protection of personal data, the System may lead to a violation of the protected rights of citizens, contrary to the principles of necessity in a democratic society.
DTX-nin Mərkəzləşdirilmiş İnformasiya və Rəqəmsal Analitika Sistemi yaradılır; https://report.az/daxili-siyaset/dovlet-tehlukesizliyi-xidmetinin-merkezlesdirilmis-informasiya-ve-reqemsal-analitika-sistemi-yaradilir
Prezidentin rəsmi veb-səhifəsinə göndəriş; https://president.az/az/articles/view/70628
Azerbaijan deletes plan for detailed surveillance system minutes after publication; https://oc-media.org/azerbaijan-deletes-plan-for-detailed-surveillance-system-minutes-after-publication
Mərkəzləşdirilmiş İnformasiya və Rəqəmsal Analitika Sisteminin Əsasnaməsi; https://drive.google.com/file/d/1H6t_TcSl2ZusPtyvB43-hiMEv1s2DU8L/view?ref=oc-media.org
Azərbaycanın ətraflı nəzarət sistemi ilə bağlı planı dərc edildikdən bir neçə dəqiqə sonra silinib; https://www.meydan.tv/az/article/azərbaycanin-ətrafli-nəzarət-sistemi-ilə-bagli-plani-dərc-edildikdən-bir-necə-dəqiqə-sonra-silinib
Azərbaycan Respublikasının “İnformasiya, informasiyalaşdırma və informasiyanın mühafizəsi haqqında” Qanunu; https://e-qanun.az/framework/3525
Azərbaycan Respublikasının Prezidentinin “İnformasiya, informasiyalaşdırma və informasiyanın mühafizəsi haqqında” Azərbaycan Respublikası Qanununun tətbiq edilməsi barədə Fərmanı; https://e-qanun.az/framework/3605
Azərbaycan Respublikası Nazirlər Kabiteninin ““Dövlət informasiya ehtiyatları və sistemləri, habelə elektron xidmətlərlə bağlı layihələrə texniki və səmərəlilik baxımından məqsədəuyğunluq barədə rəy verilməsi Qaydası”nın təsdiq edilməsi haqqında” Qərarı; https://e-qanun.az/framework/59985
Azərbaycan Respublikası Prezidentinin “Dövlət informasiya ehtiyatları və sistemlərinin formalaşdırılması, aparılması, inteqrasiyası və arxivləşdirilməsi Qaydaları”nın təsdiq edilməsi və elektron hökumətlə bağlı bəzi tədbirlər haqqında Fərmanı; https://e-qanun.az/framework/40020
Azərbaycan Respublikasının “Fərdi məlumatlar haqqında” Qanunu; https://e-qanun.az/framework/19675
“Fərdi məlumatların avtomatlaşdırılmış qaydada işlənməsi ilə əlaqədar şəxslərin qorunması haqqında” Konvensiya; https://e-qanun.az/framework/18625
Azərbaycan Respublikasının “Kəşfiyyat və əks-kəşfiyyat fəaliyyəti haqqında” Qanunu; https://e-qanun.az/framework/5454
Azərbaycan Respublikasının “Əməliyyat-axtarış fəaliyyəti haqqında” Qanunu; https://e-qanun.az/framework/2938
Azərbaycan Respublikasının “Terrorçuluğa qarşı mübarizə haqqında” Qanunu; https://e-qanun.az/framework/3855
Azərbaycan Respublikasının “Dövlət sirri haqqında” Qanunu; https://e-qanun.az/framework/5526
Azərbaycan Respublikası Prezidentinin “Azərbaycan Respublikası Cinayət-Prosessual Məcəlləsinin təsdiq edilməsi, qüvvəyə minməsi və bununla bağlı hüquqi tənzimləmə məsələləri haqqında” Azərbaycan Respublikası Qanununun və həmin Qanunla təsdiq edilmiş Azərbaycan Respublikası Cinayət-Prosessual Məcəlləsinin tətbiq edilməsi barədə Fərmanı; https://e-qanun.az/framework/360
Report of the Working Group on Arbitrary Detention on its mission to Azerbaijan, A/HRC/36/37/Add.1; https://digitallibrary.un.org/record/1303977?ln=ru&v=pdf
Dövlət Təhlükəsizliyi Xidmətinin rəsmi veb-səhifəsi; https://www.dtx.gov.az/az/fealiyyet-istiqametleri.html
Azərbaycan Respublikası Prezidentinin “Azərbaycan Respublikası Dövlət Təhlükəsizliyi Xidmətinin fəaliyyətinin təmin edilməsi haqqında” Fərmanı; https://e-qanun.az/framework/31813
Qanundan Demokratiyaya doğru Avropa (Venesiya) Komissiyasının Məxfi Xidmətlər üzərində Demokratik Nəzarətə dair Rəyi; https://www.coe.int/en/web/venice-commission/-/cdl-ad-2007-016-e
Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, Committee against Torture Concluding observations on the fifth periodic report of Azerbaijan, CAT/C/AZE/CO/5; https://digitallibrary.un.org/record/4050492?v=pdf
M. L. və V. V. Almaniyaya qarşı; https://hudoc.echr.coe.int/eng?i=001-183947
Klass və digərləri Almaniyaya qarşı; https://hudoc.echr.coe.int/eng?i=001-57510
Zoltan Varqa Slovakiyaya qarşı; https://hudoc.echr.coe.int/eng?i=001-211180
Segersted-Viberq və digərləri İsveçə qarşı; https://hudoc.echr.coe.int/eng?i=001-75591
Şimovolos Rusiyaya qarşı; https://hudoc.echr.coe.int/eng?i=001-105217
Şabo və Vissi Macarıstana qarşı; https://hudoc.echr.coe.int/eng?i=001-160020
China’s Digital Rise: Challenges for Europe: https://merics.org/sites/default/files/2020-05/MPOC_No.7_ChinasDigitalRise_web_final_1.pdf
Online and On All Fronts: Russia’s Assault on Freedom of Expression; https://www.hrw.org/report/2017/07/18/online-and-all-fronts/russias-assault-freedom-expression
E-Estonia, X-Road - Interoperability Services; https://e-estonia.com/solutions/interoperability-services/x-road/#:~:text=X-Road®%2C%20an%20open,services%20and%20platforms%20come%20online.
A data ‘black hole’: Europol ordered to delete vast store of personal data; https://www.theguardian.com/world/2022/jan/10/a-data-black-hole-europol-ordered-to-delete-vast-store-of-personal-data#:~:text=data%20ark”%20containing%20billions%20of,never%20involved%20in%20any%20crime
Avropa Şurasının Nazirlər Komitəsinin Hüquq-Mühafizə Sektorunda Fərdi Məlumatların İstifadəsini Tənzimləyən Tövsiyəsi № R (87) 15; https://rm.coe.int/0900001680929718
Khadija Ismayilova: The face of Azerbaijani defiance; https://ifex.org/faces/khadija-ismayilova-the-face-of-azerbaijani-defiance/
Pullar Azərbaycana hansı yollarla gətirilir? - Video; https://qafqazinfo.az/news/detail/pullar-azerbaycana-hansi-yollarla-getirilir-video-477529
Life in Azerbaijan’s Digital Autocracy: ‘They Want to be in Control of Everything’; https://www.occrp.org/en/investigation/life-in-azerbaijans-digital-autocracy-they-want-to-be-in-control-of-everything
DTX “Pegasus”la dinlənildiyi güman edilən ictimai şəxslərdən izahat alır; https://www.meydan.tv/az/article/dtx-pegasusla-dinlenildiyi-guman-edilen-ictimai-sexslerden-izahat-alir/
Avropa Məhkəməsi “Pegasus” işi üzrə Azərbaycan hökumətinə suallar göndərib; https://abzas.info/az/2025/10/avropa-mhkmsi-pegasus-isiec54b7b7-2/
