Understanding the new law "On personal data": imaginary and real risks

2024 Author: Malcolm Clapton | [email protected]. Last modified: 2023-12-17 03:44

On September 1, amendments to the law "On personal data" come into effect. To one degree or another, they will affect all citizens of Russia. MakRadar contacted a number of Russian lawyers and representatives of Internet companies and found out all the nuances of this law.

The amendments themselves are small, take only one and a half pages of a standard A4 sheet, and anyone can read them directly. Two main innovations:

• From September 1, all legal entities working with personal data of Russians must store databases on the territory of the Russian Federation - on their own or rented servers.
• The automated information system "Register of violators of the rights of subjects of personal data" is being created.

Personal data - any information related to a specific individual. This can be surname, first name, patronymic, year, month, date and place of birth, address, family, social, property status, education, passport data, profession, income and other information.

Let's see what the above-mentioned "Register …" is, what risks the law carries for representatives of the Internet industry, how much it "costs" to comply with the law for companies and what responsibility the violators will incur.

What is the "Register of violators of the rights of subjects of personal data"

This register will include the names of sites and pages on the Internet on which personal data is processed in violation of the law. It can be absolutely any site: online stores, hotels, airlines, media and others. “Since the law does not specify for what kind of violations the sites will be included in this register, it can be assumed that such a violation could be any non-compliance with the rules of the law on personal data,” says Daria Sukhikh, senior associate of Team 29. - The procedure for maintaining the register will be determined by the Government of the Russian Federation. It is noteworthy that a site or a page can be entered into this register only on the basis of a court decision that has entered into force, which recorded a violation of the law in the processing of personal data."

Processing of personal data - operations with personal data, such as: collection, accumulation, storage, clarification, update, change, use, distribution, transfer, depersonalization, blocking and destruction.

Who falls under the law

Distance selling companies, transport, tour operators and booking systems, recruitment agencies, telecom operators, the banking industry and payment systems. According to the July meeting between RAEC, the Russian-British Chamber of Commerce and Roskomnadzor, more than 54% of IT companies are ready to comply with all the requirements of the law, another 27% said they were partially ready, 19% were not completely ready. Financial problems and lack of technical capacity were identified as the main difficulties in implementing the law.

Main risks for business

“We do not see significant risks for the business,” says senior legal counsel of OZON Group. Yana Barash … "The provisions on cross-border transfer of personal data are not affected by the amendments, and therefore, the transfer of personal data of Russian citizens to foreign service providers will continue to be possible." Kirill Mityagin, partner of Nevsky IP Law believes: “The main risk is not to understand the requirements of the law for operators and the rules for processing personal data. For example, do not submit a notice of inclusion in the Roskomnadzor register (as of July 31, 2015, there are more than 330 thousand operators in the register), or commit violations in the processing of personal data, which entails the onset of civil, administrative and even criminal liability."

Potential threats for ordinary Internet users

The main threat for the average user is that his favorite resource may not be able to cope with the costs of protecting personal data and will be closed. “Compliance with the law makes our project 45% more expensive,” says the executive director of the service. Oleg Gribanov … - These are inevitable costs if we want to comply with the law, and we in no case will violate it. I cannot say how much we will spend on buying and renting servers and training staff for work, this is a commercial secret”. “Today, servers can be purchased at prices ranging from 40 to 600 thousand rubles, but a more or less high-quality product will definitely cost more than one hundred thousand, in addition, the choice will depend on the amount of stored data,” explains Alexander Trifonov, chief expert of legal service. - There is also the possibility of renting a server, offers start from five to six thousand rubles, so such a budget option can suit companies that are not ready to immediately spend several hundred thousand."

Personal data protection is a set of administrative measures and technical protection methods to counter the unauthorized use of personal data.

Responsibility for non-compliance with the law "On personal data"

Failure to comply with the data protection law is subject to criminal and administrative liability. “For illegal access to legally protected computer information comes responsibility under Art. 272 of the Criminal Code of the Russian Federation, - says the managing director of the company "YurPartner" Anton Tolmachev … “But this is heavy artillery. More often, a violation of the law "On personal data" is an administrative offense, for example, according to article 13.14 of the Administrative Code of the Russian Federation "Disclosure of information with limited access" or article 13.12 "Violation of information protection rules." “Now the company bears administrative responsibility for violation of the procedure for processing personal data in the form of a fine from 5 to 10 thousand rubles (Article 13.11 of the Administrative Offenses Code of the Russian Federation) and for violation of information protection requirements - from 10 to 15 thousand rubles (Part 6 of Article 13.12 of the Administrative Code RF) ", - explains Kirill Mityagin, partner of Nevsky IP Law.

The State Duma of the Russian Federation plans to adopt amendments to the Administrative Code. The minimum fine will be 50,000 rubles, and the maximum - 300,000 rubles.

Experience of other countries in the protection of personal data

In the EU countries, the protection of personal data is regulated by Directive 95/46 / EC (1995) and a number of subsequent documents, but after the Snowden case it became clear that the legislation in the field of personal data protection requires a major change. EU countries are now creating a General Data Protection Regulation. It will include such concepts as: processor and recipient of personal data, personal identifier, online identifier. The concept of "sensitive data" will be introduced, which will include human genetic and biometric data and much, much more.

Summary

Almost all countries of the world are now involved in changing legislation in the field of regulating the processing and protection of personal data. The fact that Russia is at the forefront is nothing more than a coincidence. However, the peculiarity of the Russian approach is always “the law of the state”, while in Western countries it is human rights. Hence the fears that the new law was created primarily to control the actions of citizens, and not to protect their personal data.