The press service of Kyrgyzstan’s Ministry of Internal Affairs issued a public notice this week telling social-media users that posts inciting interethnic discord or hatred toward foreigners, including foreign workers, will be treated as criminal conduct, not commentary. The wording was short. The legal hook behind it is not. Behind every line of that statement sits Article 330 of the Kyrgyz Criminal Code, which prescribes fines of 1,000 to 2,000 calculated rates or up to five years’ imprisonment for incitement of racial, ethnic, national, religious or inter-regional hatred, with aggravated cases reaching seven years in a strict regime colony.

What looks like a routine appeal for civility is the latest signal that Bishkek now treats online speech about its growing migrant labour force as a public-order matter. The notice lands at an awkward moment: the country has just set a record 52,000-strong foreign labour quota for the year, the highest on its books, while the same Ministry of Internal Affairs has been steadily expanding its presence on the platforms it now polices.

What the Interior Ministry Actually Said

The Ministry’s press service framed the appeal as a reminder, not a new rule. Officers urged users to refrain from any statement that could humiliate the dignity of individuals or promote discrimination based on nationality, and warned that posting such material, sharing it, or amplifying it through comments could trigger criminal proceedings.

The text drew an explicit link between online posts and offline consequences. Investigators referenced the recent appearance of a sign at the Villa Hotel in Osh, prohibiting entry to Jews and animals, which circulated on Telegram and Instagram in April and prompted public outrage. The Osh Department of Internal Affairs had already asked users not to spread provocative comments after a separate murder at a city exchange office; the new notice extends that posture nationwide.

Any actions violating interethnic harmony, public order and the rights of citizens will be prosecuted in accordance with the legislation of the Kyrgyz Republic.

That line, attributed by Ministry communications to its own press service, is the operative paragraph. It does not introduce a new statute. It tells the country’s roughly 4.5 million internet users that the existing one is live.

Why the Warning Lands in a 52,000-Worker Year

Kyrgyzstan has spent the past 18 months reorganising itself around imported labour for the first time in its post-Soviet history. Mirlan Baigonchokov, deputy minister of labour, told the Ishenim parliamentary group earlier this year that the 2026 foreign quota would be set at 52,000 workers, citing shortages in construction, light industry and services that domestic supply could not cover after Russia tightened its migration regime.

The composition of that pipeline is what makes the Ministry’s social-media warning more than ceremonial. According to recruitment data first reported by Kyrgyz outlets and summarised in RFE/RL’s mass-labour-exporter explainer, Bangladeshis accounted for nearly half of foreign-worker placements as of May 2024, Pakistanis for around a quarter, and Chinese nationals for 16 percent. Those three groups are also the most frequent targets of viral anti-migrant videos that have circulated on Kyrgyz-language Telegram channels for two years running.

Anti-migrant sentiment is not new in Bishkek. What is new is the demographic mismatch: a country that sent more than 1.1 million of its own citizens to work in Russia is now hosting tens of thousands of South Asians and Chinese on its own streets. The Interior Ministry knows the platform pattern that preceded the May 2024 mob violence at South Asian dormitories. The current notice is, in effect, a pre-emptive enforcement reminder before the summer construction season ramps up.

Article 330’s Track Record on Facebook and Telegram

The criminal provision the Ministry is invoking has been used against private users, journalists and human-rights defenders with a frequency that civil-society groups now call routine. During the September 2022 Kyrgyz-Tajik border conflict, the Interior Ministry confirmed it was investigating roughly 20 social-media users under the same article for posts described as provoking interethnic hostility. None of those cases produced a custodial sentence, but the message was filed.

The pattern has accelerated since.

Vague Wording, Wide Discretion

Defence lawyers in all four cases have argued that the law’s wording lets prosecutors treat almost any sharply worded post as incitement once a state-appointed expert signs off. The Institute for the Rule of Law in Kyrgyzstan flagged this dependence on “linguistic expertise” as the most exploited feature of the statute, because the experts are commissioned by the same agencies bringing the case.

The Cost of a Single Post

For a low-income user, the financial exposure is severe. 100,000 som is roughly two months of median wages in Bishkek and four months in rural oblasts. The seven-year ceiling for aggravated cases means a single forwarded video, in theory, carries a heavier maximum than several non-violent property offences in the same code.

The Osh Flashpoints That Drew the Notice

The Ministry’s warning did not appear in a vacuum. A series of online flashpoints over the past 18 months has kept the agency’s monitoring teams busy and given prosecutors reason to point to live precedent.

1. April 2026, Villa Hotel sign, Osh. A printed notice barring Jews and animals from a hotel entrance appeared in user-shot footage on Telegram and ricocheted across Kyrgyz-language channels, prompting the Ministry’s first explicit reference to xenophobic posting in months.
2. March 2026, exchange-office murder, Osh. A homicide at a currency-exchange counter triggered a wave of speculation naming a foreign national, before police identified a Kyrgyz suspect. The Osh Department of Internal Affairs separately asked users to stop spreading unverified claims.
3. May 2024, Bishkek dormitory attacks. Mob violence at South Asian student and worker dormitories was preceded by viral videos alleging assaults on Kyrgyz women, later shown to involve unrelated parties. Several Pakistani and Bangladeshi residents were hospitalised, and the Foreign Ministry briefly suspended outbound recruitment from Islamabad.
4. 2022 to 2024, anti-Chinese protest cycles. Multiple smaller protests at Chinese-operated mining and construction sites drew their organising energy from Facebook events and Telegram groups, several of which were later cited in court filings.

None of these incidents produced isolated viral posts. They produced sustained content cycles, often resurfacing weeks later when an unrelated event reactivated the original framing. That is what the Interior Ministry is trying to interrupt.

The Free-Speech Side of the Ledger

The same enforcement architecture that lets Bishkek pursue genuine racist posting has been used, repeatedly, against journalists and opposition voices. Human Rights Watch’s 2026 country chapter on Kyrgyzstan documents amendments enacted in January that criminalised libel and insult, empowering the Ministry of Culture to impose fines of up to 200,000 soms without judicial approval, plus July rules adding 20,000-som and 65,000-som penalties for individuals and media outlets spreading content deemed false or unreliable.

The April TV closure in July, ordered after authorities accused the broadcaster of “sarcasm and mockery” that could destabilise public order, sits in the same legal family. So does the September conviction of four Kloop news staffers for calling for mass unrest. Civil-society groups read the new social-media notice through that lens: a broadly worded reminder that the state can choose any post on any platform and find a hook.

The chilling effect is measurable. The International Partnership for Human Rights, in a March report, surveyed Kyrgyz activists and found that 64 percent of respondents had self-censored online in the previous six months, citing Article 330 specifically more often than the new false-information rules.

How This Compares to Other Online-Speech Regimes

Kyrgyzstan is not the only country tightening platform speech this year, and the model it is converging on is recognisable. Vietnam’s Decree 174, covered in our earlier piece on Hanoi’s social-media content fines, layers administrative penalties on top of criminal incitement statutes in a structurally similar way. The Vietnamese rules cap fines at roughly $1,150 per violation; the Kyrgyz Ministry of Culture’s discretionary 200,000-som ceiling lands in the same band.

Where the two systems diverge is on enforcement venue. Vietnam’s regulators handle most cases administratively, with criminal escalation reserved for repeat or high-profile offenders. Kyrgyzstan routes nearly every Article 330 referral through investigators first, which means a low-volume post can land directly in the criminal track. Combined with the country’s reliance on government-commissioned linguistic experts, that produces a system in which the upfront procedural cost of being investigated is itself the deterrent, regardless of conviction rates.

For platforms, the practical implication is narrower. Meta, ByteDance and Telegram have so far declined to open formal liaison offices in Bishkek. The state is therefore enforcing against users, not infrastructure, and the user-side exposure is what the Interior Ministry’s notice is designed to make visible.

What Users and Employers Should Expect This Summer

The Ministry has signalled three things at once. It wants xenophobic content reported, not amplified. It is willing to use a statute civil-society groups consider overbroad to do so. And it is doing so just as the foreign labour quota tops out for the year, which means the volume of source material for viral content will only rise.

Employers of foreign workers, particularly in construction and the garment sector, have already adjusted internal policies. Several Bishkek-based contractors with Bangladeshi crews now ask supervisors to flag any locally produced video featuring their employees, and to report incidents to district police before they spread. The Federation of Trade Unions of Kyrgyzstan, in a statement last week, asked the Ministry to publish quarterly figures on Article 330 cases tied to anti-migrant content, separating them from political-speech prosecutions.

That request matters because the same enforcement tool sits over two very different problem sets. If the next batch of cases concentrates on genuine racist mobilisation around the South Asian and Chinese workforce, the Ministry’s notice will read in hindsight as preventive policing of a real risk. If the cases drift toward critical journalists, opposition figures or rights activists posting about migration policy, the notice will read as a license expansion. The same statute can produce either outcome, and the next 90 days of arrests will tell users which one they are living under.

BlackBerry’s U.S. listing closed Tuesday at $8.39, up roughly 6.1% on the first session after Memorial Day, with about 39.7 million shares changing hands and an intraday high of $8.77. The price sits well above the $5.16 average target that eight analysts on S&P Global Market Intelligence were still publishing before CIBC raised its number this week.

The gap is the story. A Canadian software name once shorthand for failed phones is now trading on a QNX automotive backlog of roughly $950 million, a fresh FedRAMP renewal at the U.S. government’s highest civilian-cloud bar, and a share repurchase authorization that started two weeks ago.

The Setup Behind the $8.39 Close

Tuesday was the first U.S. trading session after the Memorial Day holiday closure, and BlackBerry walked into it with a strong Friday tape and a wave of fresh attention on its government-security business. The broader market did not hurt: S&P 500 and Nasdaq names rallied on AI optimism, and the Invesco QQQ ETF added 1.4%.

The trading session put the stock back into the same volume class as other mid-cap software names, a place its float had not reliably occupied for years.

What the table does not show is the catalyst stack feeding the bid. Three distinct items hit the wire in the two weeks before Tuesday’s open, and the market spent the session pricing them as one story rather than three.

CIBC’s Number, FedRAMP’s Renewal, the Buyback’s Window

CIBC Capital Markets lifted its BlackBerry price target from $6 to $8.50 and kept an Outperform rating, citing clearer visibility into profitable growth across QNX and Secure Communications. The bank flagged QNX demonstrations on Intel and NVIDIA hardware and pointed to a new robotics architecture benchmark report as evidence that the operating system is no longer confined to dashboards.

That note landed on a market already digesting two earlier items.

• On May 8, the company filed an SEC disclosure renewing its normal course issuer bid, the Canadian-market term for a buyback. The authorization lets BlackBerry repurchase up to 26,785,714 shares, about 4.58% of the public float as of April 30, and runs from May 12, 2026 through May 11, 2027. Any shares bought back are cancelled.
• On May 20, BlackBerry AtHoc, the emergency-communications platform, secured its 2026 FedRAMP Class D (High) re-certification, the U.S. federal cloud-approval bar for sensitive unclassified data where a loss of confidentiality or availability would cause severe or catastrophic consequences. The company says 80% of U.S. federal agencies use the platform.
• QNX, the embedded operating-system unit, posted a record quarter in early April, with $78.7 million in revenue and a royalty backlog the company now puts at roughly $950 million.

Stacked, those items read less like three press releases and more like a balance-sheet thesis. A buyback program signals management confidence in cash generation. The FedRAMP renewal locks in the federal customer base for another certification cycle. The royalty backlog effectively pre-sells revenue that has not yet been recognized.

That is what CIBC’s upgrade was paying for. The peer reaction was muted: CrowdStrike rose 1.7%, Palo Alto Networks slipped 0.9%, and SentinelOne fell 0.6%, so this was not a cyber-sector rally riding along.

QNX Is the Engine, Not the Logo

The brand is what makes the chart screenshot interesting. The business is what makes Tuesday’s close defensible.

The Revenue Mix Has Tilted

QNX (the safety-certified real-time operating system embedded in cars, medical devices, and industrial controllers) brought in $268.0 million in fiscal 2026 (the year ended February 28), or close to half the company’s full-year revenue of $549.1 million. Fourth-quarter QNX revenue of $78.7 million was up 20% year over year, and the segment grew 14% for the full year, per BlackBerry’s Q4 fiscal 2026 results filed with the SEC.

Secure Communications, the older institutional-software unit that houses AtHoc and the SecuSUITE encryption stack, generated $258.9 million for the year, with $72.5 million in the fourth quarter, up 8% from a year earlier.

The Backlog Tells the Forward Story

The figure that anchors the bull case is the $950 million QNX royalty backlog, meaning per-unit license revenue that will be recognized as vehicles roll off production lines. The backlog represents more than twice the segment’s current annualized royalty recognition rate, which is what gives the multi-year revenue visibility that CIBC and other constructive analysts have started leaning on.

For fiscal 2027, BlackBerry guided to total revenue of $584 to $611 million, with QNX at $290 to $307 million and adjusted EBITDA (earnings before interest, taxes, depreciation, and amortization) of $110 to $130 million. The Q1 fiscal 2027 quarter wraps May 31, with results scheduled for June 25.

The Design Wins Behind the Number

QNX software is now embedded in more than 275 million vehicles globally, up roughly 100 million since 2020. Named original equipment manufacturer (OEM) customers include BMW, Bosch, Continental, Geely, Honda, Hyundai, Mercedes-Benz, Toyota, Volkswagen, and Volvo. Fresh design wins disclosed alongside the fiscal year results include BMW Group and Volvo Cars, plus a Johnson & Johnson contract for an artificial-intelligence-enabled medical device.

That is the second-order shift the share price is starting to reflect: a software company whose largest single segment now sells embedded operating systems into the auto and medical hardware stack, with revenue visibility extending years out.

Why Secure Communications Still Matters

The federal half of the business is the part most often left out of the QNX story. FedRAMP (the Federal Risk and Authorization Management Program, the U.S. government’s cloud-service approval framework) does not hand out Class D (High) authorizations often, and an expired certification can effectively lock a vendor out of federal procurement until a renewal lands.

BlackBerry’s AtHoc re-certification announcement on May 20 kept the platform inside that procurement perimeter.

We are the only CEM platform to reach this bar in 2025, and this re-certification reflects our sustained investment in helping organizations coordinate faster, operate more securely, and respond effectively when conditions are most demanding.

That is Ramon Pinero, general manager of BlackBerry AtHoc, speaking in the company’s May 20 release. Dubhe Beinhorn, senior vice president for the public sector inside BlackBerry Secure Communications, framed the renewal as a signal to existing federal customers that the platform will continue to meet rising compliance and resilience requirements.

Read against the QNX numbers, AtHoc is the customer-stickiness floor: 80% of U.S. federal agencies, an installed base that does not flip vendors casually, and a renewed certification that buys time before the next compliance review.

The Analyst Gap That Hasn’t Closed

The argument against Tuesday’s price is published every morning. S&P Global Market Intelligence aggregates eight covering analysts at a Hold rating with an average price target of $5.16, well below where the stock is trading and well below CIBC’s new mark. Those numbers were compiled before this week’s upgrade, but only one of the eight has moved publicly so far.

The dispersion is the trade. CIBC’s number prices in the QNX backlog and FedRAMP renewal as durable. The consensus number prices in the prior three years, when stagnant top-line growth and Secure Communications softness offset the QNX story and kept the share count moving the wrong way.

The June 25 print is the first quarterly result that will let the rest of the desk decide which number is right.

What Could Undo This

The mixed read is not about whether the operating numbers improved. They did. The risk is whether the price has run ahead of what the next quarter can confirm.

• Project deferrals at QNX customers. RBC has flagged the risk that platform launch delays inside automotive customers push royalty recognition out of fiscal 2027 and into later years. The $950 million backlog does not vanish, but the timing line can shift.
• Secure Communications drag. The unit grew 8% in the fourth quarter but has spent years as a flat-to-down business. If the FedRAMP renewal does not translate into net new federal contract value, the segment becomes a maintenance line item rather than a growth driver.
• Sentiment unwind. The stock is rallying in part on AI-rotation flows. If big tech sells off through June or Middle East risk reasserts itself in the macro tape, BlackBerry’s beta to that mood is high enough to give back the move quickly.
• Valuation reset. Even with the fiscal 2027 guidance, a price near $8.40 implies the market is paying for a level of QNX execution that has not yet been printed. A single miss against the high end of the guide can compress the multiple fast.

Chief Executive John Giamatteo’s framing on the April earnings call was direct: “We are no longer a company in transition.” That sentence is now load-bearing. The June print is what tests whether the market lets him keep saying it.

Heading Into June 25

The first quarterly results of fiscal 2027 land Wednesday, June 25, before the U.S. open, with the quarter closing this Sunday, May 31. BlackBerry’s guidance points to Q1 QNX revenue of $60 to $64 million and Secure Communications revenue of $66 to $70 million, with consolidated non-GAAP earnings per share of 15 to 19 cents for the full year.

If QNX prints inside or above its quarterly range and management edges the full-year backlog number up, the CIBC framework wins and the $5.16 consensus number gets revised on contact. If QNX prints below the range or the company walks back any portion of the fiscal 2027 EBITDA guide, the gap between consensus and tape closes from the other direction, and the buyback program becomes the only structural bid left under the share price.

Disclaimer: This article is for informational purposes only and does not constitute investment advice. Equity securities such as BlackBerry Limited carry market, execution, and macroeconomic risk, and past performance does not indicate future results. Readers should consult a qualified financial professional before making investment decisions. Prices, analyst targets, and operating figures are accurate as of publication.

South Korea’s Personal Information Protection Commission told the Ministry of Science and ICT on May 27 that its facial authentication pilot for mobile phone activation needs a legal overhaul before it can go live nationwide. The system, running since December 23, 2024, compares a customer’s face against the photo on their government-issued ID in real time at the point of sale. The commission says the ministry skipped the privacy review, built the system on shaky legal ground, and designed a consent flow that gives users no real choice.

The pilot was part of a joint government push to kill voice phishing, a fraud category that cost South Koreans hundreds of billions of won in 2024. SIM-swap attacks, where criminals activate a phone number in someone else’s name, are a common vector. Facial authentication was supposed to close that gap by proving the person standing in the store is the person named on the ID.

The Legal Gap the Watchdog Found

Biometric data sits in a special category under South Korea’s Personal Information Protection Act. Processing it requires either explicit consent from the data subject or a clear statutory basis. The commission reviewed the Telecommunications Business Act and related regulations and found neither. The ministry introduced facial authentication as an identity verification method without amending the law to authorize it.

The commission’s May 27 recommendation states that the current legal framework does not clearly permit facial information to be used as a means of identity authentication for phone activation. That gap matters because telecom carriers are now collecting, storing, and comparing facial scans without the statutory cover biometric processing demands.

The ministry has not yet responded publicly to the recommendation. The pilot continues to operate while the commission waits for a formal reply.

Consent That Is Not Really Consent

The second problem is structural. When a customer walks into a carrier store to activate a phone, the facial scan is presented as part of the standard identity verification flow. Refusing the scan means the activation cannot proceed. The commission determined that this design makes consent effectively mandatory, violating the principle that biometric data processing must be voluntary.

The Personal Information Protection Act allows processing of sensitive information only when the data subject has given genuine consent or when a law explicitly requires it. Because the Telecommunications Business Act does not require facial authentication, the system relies entirely on consent. But consent given under duress, where refusal blocks access to an essential service, does not meet the legal standard.

The commission also flagged the scope of data collected by the contractor operating the authentication system. It said the ministry needs to minimize what personal information flows through the contractor’s infrastructure and ensure that data retention periods are as short as technically feasible.

How the System Works Today

The facial authentication process runs in three steps. First, the customer presents a government-issued ID card at the carrier’s point of sale. Second, the system extracts the photo from the ID using optical character recognition. Third, a live camera captures the customer’s face and a matching algorithm compares the two images in real time. If the match score exceeds a threshold, the activation proceeds. If it fails, the customer must use an alternative verification method, typically a manual document check by store staff.

The system does not store the live facial image after the comparison completes, according to the ministry’s December 2024 briefing. The ID photo is likewise discarded once the session ends. But the commission’s review found that metadata about the transaction, including timestamps and match scores, persists in the contractor’s logs for an unspecified period, raising questions about secondary use and data minimization.

The Voice Phishing Context

Voice phishing, known locally as boseu pising, accounted for 1.2 trillion won in reported losses across South Korea in 2024, according to the Financial Supervisory Service. SIM-swap fraud is a subset of that total. Criminals obtain a victim’s personal details through phishing or data breaches, then visit a carrier store with a fake or stolen ID to activate a new SIM card in the victim’s name. Once the number is live, the attacker intercepts two-factor authentication codes sent via SMS and drains bank accounts.

The government’s comprehensive anti-phishing plan, announced in November 2024, included facial authentication as one of several technical controls. Other measures in the plan include real-time transaction monitoring by banks, mandatory cooling-off periods for large transfers, and a centralized fraud reporting hotline. The facial authentication pilot was the most visible and the most controversial.

What the Commission Wants Fixed

The commission’s May 27 recommendation lists four specific actions. First, the ministry must conduct a full necessity and proportionality review before rolling the system out nationwide. That review must weigh the privacy cost of collecting biometric data against the fraud-prevention benefit and consider whether less intrusive alternatives exist.

Second, the ministry must clarify the legal basis for processing facial information. That likely means amending the Telecommunications Business Act to explicitly authorize facial authentication as an identity verification method, or finding another statutory hook that satisfies the Personal Information Protection Act’s requirements for sensitive data.

Third, the ministry must redesign the consent flow so that customers can refuse facial authentication without losing access to phone activation. The commission suggested offering alternative verification methods, such as document checks or knowledge-based authentication, as parallel options rather than fallbacks.

Fourth, the ministry must apply privacy-by-design principles to the contractor’s system. That includes minimizing the personal information collected, shortening data retention periods, encrypting data in transit and at rest, and conducting regular audits to ensure compliance with the protection law.

Privacy-by-Design in Practice

Privacy-by-design is a framework that embeds data protection into the architecture of a system from the start, rather than bolting it on after deployment. In the context of facial authentication, it means designing the system so that the minimum necessary data is collected, the data is processed locally when possible, and the data is deleted immediately after use.

The commission’s recommendation implies that the current pilot does not meet that standard. The contractor’s system collects more data than strictly necessary for the matching operation, retains metadata longer than the transaction requires, and lacks transparency about how the data flows through the infrastructure. The commission wants those gaps closed before the system scales.

The Proportionality Question

Proportionality is the legal test that balances the benefit of a data processing activity against the harm it causes to individual rights. The commission’s recommendation asks whether the fraud-prevention benefit of facial authentication justifies the privacy cost of collecting biometric data from every phone customer.

The ministry’s December 2024 briefing cited a 40 percent reduction in SIM-swap fraud cases during the first two months of the pilot, based on carrier-reported data. The commission has not disputed that figure, but it argues that the reduction alone does not prove proportionality. The test also requires considering whether less intrusive methods, such as improved document verification or multi-factor authentication using non-biometric factors, could achieve a similar result.

The commission also noted that the pilot’s scope is narrow. It applies only to in-store activations, not to online activations or SIM swaps initiated through customer service channels. That means the system addresses only a fraction of the fraud surface, raising questions about whether the privacy cost is justified by the partial coverage.

What Happens If the Ministry Ignores the Recommendation

The Personal Information Protection Commission’s recommendations are not legally binding, but they carry significant weight. If the ministry proceeds with a nationwide rollout without addressing the commission’s concerns, the commission can escalate to a formal investigation and issue a corrective order. Corrective orders are enforceable and can include fines, suspension of the system, and mandatory deletion of collected data.

The commission has used that authority before. In 2023, it ordered a major e-commerce platform to delete facial recognition data collected without proper consent and fined the company 2.8 billion won. The ministry is unlikely to risk a similar outcome, especially given the political sensitivity of privacy issues in South Korea following several high-profile data breaches in recent years.

The Broader Biometric Debate

South Korea is not the only country grappling with the trade-off between biometric convenience and privacy risk. India’s Aadhaar system, which uses fingerprints and iris scans for identity verification, has faced years of legal challenges over consent and data security. The European Union’s General Data Protection Regulation treats biometric data as a special category requiring heightened protection, and several EU member states have banned facial recognition in public spaces.

The South Korean debate is playing out in a regulatory environment that is more permissive than the EU but stricter than the United States. The Personal Information Protection Act, enacted in 2011 and amended several times since, gives the commission broad authority to review and block data processing activities that fail to meet legal standards. The commission has used that authority aggressively in recent years, particularly in cases involving biometric data and location tracking.

The facial authentication pilot is a test case for how far the government can push biometric surveillance in the name of fraud prevention. The commission’s May 27 recommendation suggests the answer is: not this far, not without a legal foundation and a genuine consent mechanism.

What Comes Next

The ministry has not set a timeline for responding to the commission’s recommendation. The pilot will continue to operate in its current form until the ministry decides whether to proceed with a nationwide rollout, scale back the system, or abandon it entirely. The commission said it will monitor the ministry’s response and will support the government’s anti-phishing efforts as long as they comply with the Personal Information Protection Act.

The outcome will likely hinge on whether the ministry can find a legal basis for facial authentication that satisfies the commission. Amending the Telecommunications Business Act would require legislative approval, a process that could take months or years depending on political priorities. Without that amendment, the system remains on shaky ground, and the commission’s next move could be a formal order to shut it down.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations vary by jurisdiction, and individuals concerned about biometric data collection should consult a qualified legal professional. Figures and regulatory details are accurate as of publication.