In the context of ongoing, large-scale pro-European protests, the “Georgian Dream” has been actively employing enhanced video surveillance mechanisms and facial recognition technology against demonstrators. This trend has become particularly evident since December of last year, following repressive amendments to the Code of Administrative Offenses that substantially increased fines for frequently used forms of protest-related offenses - such as blocking roadways.[1]

It is worth noting that general-purpose surveillance cameras[2] operated by the Ministry of Internal Affairs (MIA) were already installed in public areas of Tbilisi, Rustaveli Avenue - primarily at intersections and underground passages. In addition, numerous private and commercial establishments also operated video surveillance systems covering outdoor spaces. However, over the past several months, the number of surveillance cameras near the Parliament building has significantly increased, particularly against the backdrop of uninterrupted public protests. This activation of video surveillance systems may reflect a shift in GD’s strategy to suppress protest. Whereas the MIA had previously relied on disproportionate force and special means near the Parliament, it appears that once GD pivoted toward a legislative and punitive approach to suppress protests, the authorities began to install dozens of facial recognition cameras at assembly sites.

Cameras Installed for “Georgian Dream’s” Rally

The installation of surveillance cameras in direct connection with public assemblies was first observed on October 23 of last year, during a pre-election demonstration organized by Georgian Dream. In response, Social Justice Center submitted a formal request to the Personal Data Protection Service to investigate the legality of data processing through these cameras. Nearly four months after filing the request, the Personal Data Protection Service informed us that it had not initiated an investigation, citing the alleged removal of surveillance devices at the time of inquiry and the inability to confirm that Georgian Dream had engaged in any data processing.[3]

It is important to note that in order to initiate a review of data processing legality, the processing need not be ongoing or continuous. It is sufficient to identify a potential violation of data processing principles or rules, even within a brief timeframe. Despite the removal of the cameras, the Service was obligated to investigate the circumstances outlined in the complaint and respond appropriately to prevent future violations.

Installation of Facial Recognition Cameras at Protest Sites

For nearly two months following the Georgian Dream-organized demonstration, there were no publicly reported installations of additional cameras - including those equipped with facial recognition technologies - at the continuous protest sites along Rustaveli Avenue. However, on December 14 of last year, it became publicly known that Georgia’s Public Safety Command Center (112) had procured Chinese-made surveillance cameras capable of recognizing human faces and emotions.[4] At that time, Georgian Dream had already introduced legislative proposals to ban face coverings at protests and to increase penalties for blocking roads. According to the manufacturer’s official website, the acquired surveillance cameras are capable of high-resolution imaging and can identify a person’s age, gender, emotional state, and facial features - even when a medical mask is worn.

Facial recognition cameras placed in public space process data related to an indefinite number of individuals. The categories of processed data include a wide range of personal information, including special (sensitive) personal data. Facial recognition technologies process biometric data - specifically, individuals’ physical and behavioral characteristics. Under Article 6 of Council of Europe Convention 108, facial features are considered biometric data and therefore fall under the category of special (sensitive) personal data, requiring a high level of protection. Moreover, given that facial recognition technologies are being used at protest sites, they inherently process information on the political beliefs of thousands of individuals - a category of data that, due to its sensitivity, also qualifies as special category personal data.

Lawfulness of Biometric Data Processing

The processing of personal data by law enforcement bodies is subject to the Law of Georgia on Personal Data Protection, except in cases where the data is processed for the prevention of crime, investigation, prosecution, or other activities directly provided for by law.[5] In the context of preventing and responding to administrative offenses, the law applies standard data protection requirements to the activities of law enforcement agencies. Accordingly, the Ministry of Internal Affairs must use facial recognition cameras only if there are legal grounds for processing special category data and if the processing adheres to the principles outlined in the law.

The processing of biometric data is regulated by a special provision, which stipulates that the detection of or response to offenses does not automatically constitute a sufficient legal basis for processing this type of data. The legal grounds listed in Article 9, Paragraph 1 of the Law on Personal Data Protection are not exhaustive, and processing may also be permitted in other cases defined by legislation. As of February 6, 2025, a legislative amendment to the Code of Administrative Offenses allowed the photographing, fingerprinting, voice recording, and other measures for the purpose of identifying a person who has committed an administrative offense.[6][7] Through this amendment, "Georgian Dream" formally created a basis for processing biometric data in response to administrative offenses, by invoking the final ground provided in Article 9(1) of the Personal Data Protection Law - “other cases provided by law” - and aligning it with the newly added provision in the Code of Administrative Offenses.[8] However, this does not necessarily render biometric data processing lawful, as the existence of a legal basis alone is not sufficient. It is also necessary to adhere to the principles of data protection.

The placement of facial recognition cameras to impose administrative liability on participants of protest on Rustaveli Avenue violates several key principles established under Article 4(1) of the Law of Georgia on Personal Data Protection, including:

Data Minimization[9] – This principle requires that only the amount of data strictly necessary to achieve the lawful aim be processed. The data must be adequate and proportionate to the purpose for which it is being processed.

Processing special category data to identify protest participants using facial recognition cameras cannot be considered a necessary and proportionate measure in a democratic society, especially since law enforcement has alternative, less intrusive means to identify individuals and impose liability. Typically, police officers are present at protest sites and can request ID documents and issue fines on the spot. This approach avoids the collection, storage, and transfer of large volumes of special category data, but the police rarely use this method during large-scale protests. Instead of reacting on-site, law enforcement often relies on video recordings, which form part of a broader strategy to suppress protests and intimidate citizens. Through this, Georgian Dream seeks to instill a sense among citizens that their every move is being recorded and documented, potentially laying the groundwork for future prosecution.

Data Processing without Violating the Individual's Dignity – The fundamental goal of data protection rights is to prevent data processing that harms an individual’s dignity and rights. According to the practice of a supervisory authority in one European country, human dignity takes precedence in the context of data protection rights, based on analysis of the country's constitution, constitutional court decisions, and civil law provisions.[10]

Therefore, it is crucial that the Personal Data Protection Service assess biometric data processing within its specific context and in light of constitutional values. Law enforcement agencies most frequently use facial recognition technologies to identify individuals and impose administrative fines under Article 174¹ of the Code of Administrative Offenses. This article establishes liability for violations of rules on assembly and demonstration, including the artificial blocking of roads, which is typically relevant in protest contexts. The use of facial recognition technology becomes a basis for interfering with the freedom of assembly and expression of thousands of individuals.

The offense for which biometric and other special category data are processed does not fundamentally threaten public safety or endanger human life or health. Processing data on this scale goes beyond the objectives of detecting and preventing offenses - it becomes a means of intimidation and repression of protest participants.

Fair Processing of Data – The fairness principle requires that data be processed without causing unjust or unfair consequences for the subject. International standards dictate that, in assessing the fairness of data processing, consideration must be given to how the processing affects individuals and groups. If the processing results in unjust harm to even a single person, it should not be considered fair.[11]

Facial recognition cameras placed in public spaces where continuous protests are held process sensitive information, including data on political views. The recording and storage of such data may pose serious risks to protest participants, potentially leading to persecution and unwanted influence in various forms.

International Standards on the Use of Facial Recognition Technologies

According to international standards, facial recognition technology (FRT) should be used only as a measure of last resort - when less intrusive means are unavailable - and strictly in cases where its use is necessary for investigating serious criminal offenses or for other particularly significant interests, such as ensuring the safety of minors.[12]

Facial recognition technology (FRT) operates as a two-step process. In the first stage, an image of a face is captured and converted into a digital template; in the second stage, that template is compared with existing templates in a database for the purposes of identification or authentication. The large-scale processing of personal data in this manner poses risks of disproportionate interference with the right to privacy, which is often a necessary precondition for the protection of other fundamental rights (including freedom of assembly, expression, association, movement, and the right to non-discrimination and etc.). The use of FRT by law enforcement agencies may undermine social, democratic, and political stability in a country.[13]

The European Court of Human Rights (ECtHR), in the case of Glukhin v. Russia, found that the use of facial recognition technologies for the purpose of identifying, locating, and detaining an individual in the context of administrative offense proceedings amounted to a violation of the right to respect for private life. According to the Strasbourg Court, within the framework of a peaceful protest, where there is no specific threat to public safety, the identification of the individual committing the offense does not constitute a sufficiently compelling social or democratic necessity that would justify the processing of biometric data.[14]

In this judgment, the ECtHR emphasized that the use of facial recognition entails the processing of biometric data, which is directly tied to a person’s identity. Consequently, beyond data protection and privacy concerns, the use of FRT can have direct or indirect implications for several fundamental rights and freedoms enshrined in the EU Charter of Fundamental Rights (such as human dignity, freedom of movement, and freedom of assembly and etc.). The use of such cameras in public spaces effectively constitutes mass surveillance, which may only be justified in relation to the prevention of serious crimes, including terrorism - not for minor legal infractions.[15]

The risks of disproportionate interference with human rights are further heightened by the significant challenges FRT presents in terms of accuracy in identification and authentication. According to a report by the European Union Agency for Fundamental Rights, if facial recognition technologies are deployed in public gathering spaces, hundreds of individuals may be misidentified. In practice, it is nearly impossible to determine the level of accuracy of such technologies.[16]

In the context of protest activity, including administrative proceedings, the use of AI-equipped facial recognition systems has become widespread in Russia. Particularly since the 2021 protests in support of Alexei Navalny, it has served as a tool of comprehensive surveillance and retroactive punishment of dissenting individuals. While the Russian police and Moscow’s Department of Information Technology (DIT) do not disclose the exact algorithms used for identification, activists - based on case materials and court rulings - have concluded that the facial recognition program utilizes two main search systems: “Sherlock,” which works with the passport database, and PSKOV (“Search System for Critical Categories”), which draws on data from social media networks. These two systems are interconnected, and the more images the program processes, the easier it becomes to identify individuals.[17]

Under Russian federal law, the processing of biometric personal data is not permitted without a person’s prior written consent. There are narrow exceptions - for investigative purposes or the administration of justice - but these do not extend to police powers in administrative offense cases. Georgian legislation adopts an identical approach to the processing of biometric data. However, similar to the Russian context, in practice, these legal provisions fail to adequately protect demonstrators’ rights to privacy, freedom of assembly, and freedom of expression.[18]

Appeal Mechanism and the Mandate of the Personal Data Protection Service

On March 12, 2025, the Georgian Young Lawyers’ Association publicly called on the Personal Data Protection Service to examine the legality of data processing through facial recognition technologies used against peaceful protesters. In response to the public appeal, the Service clarified that proceedings had been initiated and that it could not issue a preliminary assessment before the process is concluded.[19]

In addition to scheduled inspections, the Personal Data Protection Service holds two key competences for monitoring the lawfulness of data processing:[20]

• Reviewing a complaint submitted by a data subject (the person whose data is being processed);
• Conducting unscheduled inspections (investigations) into the legality of data processing either upon receiving a notification from an interested party or on the Service’s own initiative.

Any citizen who receives an administrative offense case file from the Ministry of Internal Affairs - including a fine report and photo/video material captured by external surveillance cameras - is considered a data subject. Accordingly, they have the right to contact the Personal Data Protection Service and request an assessment of the legality of data processing concerning them, including processing of special category data.

Unlike unscheduled inspections initiated by the Service, the processing of a complaint submitted by a data subject is subject to a legal time limit. By law, the review of a complaint must not exceed two months, and this term can only be extended once by a maximum of one additional month.[21] Moreover, the data subject, as a party to the proceedings, has the right to request information from the Service about the ongoing inspection. Therefore, the mechanism of submitting complaints in the name of individual data subjects may prove more effective than relying on the Service’s initiative to launch proceedings.

Summary

Since December 2024, the Ministry of Internal Affairs has fined thousands of people based on video recordings obtained from 112, Georgia’s emergency response center. This practice is particularly evident in administrative offense cases initiated for the alleged blocking of roads, where the only evidence presented consists of photos extracted from facial recognition surveillance cameras.[22] To date, the Personal Data Protection Service has not published any information about its actions within the ongoing proceedings nor has it issued recommendations to the authorities responsible for the data processing.

Unlike criminal offenses, administrative violations do not disrupt public order and safety to such an extent that would justify the large-scale processing of personal data, including particularly sensitive data. The use of biometric data for issuing administrative fines directly violates Georgian legislation and contradicts international standards. This technology has become yet another repressive instrument in the hands of “Georgian Dream,” targeting not only the right to privacy but also fundamental freedoms of assembly and expression.

On behalf of several individuals fined for road blocking, Social Justice Center is submitting a complaint to the Personal Data Protection Service and will regularly inform the public about the progress of the proceedings.

In addition, it is crucial that all citizens who receive case files from the Ministry of Internal Affairs containing photo/video materials related to road-blocking allegations submit complaints to the Personal Data Protection Service to request a review of the legality of data processing. Regardless of the domestic legal outcome, such complaints and the ensuing dispute over the violation of the right to privacy will be significant for international legal proceedings.

To address the Personal Data Protection Service, citizens may use the complaint template we have prepared (attached):

Share